Updated May 7: Bkav has completed re-checking the issue with cloud IaaS service of Amazon, HP and GoGrid. We find that Amazon has fully patched their images, while the two others leave the issue unsolved.
Not long ago, Bkav received a request from a customer using our security product. He reported signs of malware on his server, which was then identified as an Amazon’s cloud server running Windows Server OS. Launching an investigation, we found that the server had been infected by spyware and information had been stolen. The result also points to a critical vulnerability in the world-third-ranked cloud provider’s service, but what worth mentioning here is that many other providers have the same vulnerability in this way or others.
In the first phase of the investigation, we found that data stored on customer’s cloud server had been stolen. The question was by what means had the hackers broken into the server while its administrators had not installed any suspicious software or used the server for any activity with malware hazard. The answer lies in a critical vulnerability: Windows Server 2003 on Amazon’s cloud server has its latest update in October 2009 and Auto Update is turned off. Five years are more than enough for hundreds or even thousands of flaws to be exposed and exploited, and in light of high level of Internet connection nowadays, the possibility of being penetrated is indisputable. We executed a test with dangerous proof-of-concept code MS12-020, which is widely publicized on the Internet, and easily brought the customer’s server down.
Cloud server provided by Amazon with the latest update in October 2009
The server was easily brought down
Is the situation happening to other customers of Amazon? For further investigation, we rented a couple of Amazon servers located in different places around the world. The same problem revealed! Auto Update turned off and too out-of-date patches, with some servers in America, Japan and England being last updated in March 2012. In previous investigations, we always wondered why hackers were able to mobilize such a large number of servers for DDoS attacks, establishing phishing websites or spreading malware. The answer seems to be clear now because one third of Internet users access an Amazon AWS cloud site on average at least once a day (Deepfield report).
With a cloud server, it must be connected to the Internet before user has his very first access. If there is any vulnerability on the server, then it will be extremely dangerous because hackers have already been able to penetrate into the system before user can do anything to his server, including installing the latest security patch. This really happened to the customer mentioned above. Our investigation shows that his cloud server had its latest update in 2009 and had been intruded before our customer’s first access. This is easy to understand! We all know that hackers are continuously scanning on the Internet to find vulnerabilities in servers. If, just assume, I were a hacker and I knew such hole in Amazon’s cloud service, I would definitely perform continuous scans of IP ranges of this provider’s cloud system. Then, as soon as the servers were turned on, I would do the intrusion.
Due to the seriousness of the vulnerability, we have furthered our investigation to get a broader view and to give timely warning to users. The insecure situation is happening to Amazon – a prestigious cloud service provider. So what about others? We decided to try testing the service of some world leading providers like Microsoft, HP, GoGrid. In the case of HP Public Cloud, the patch is 8 months out-of-date (July 2013). And GoGrid, another big provider, has similar problem: Auto Update is not activated and the time of latest updates is April 2012. Microsoft is the sole exception as this provider turns on Auto Update and has the latest update of the month. It seems that the giant provider is well-aware of the vulnerabilities in their own operating system.
Amazon, HP, GoGrid are among the biggest cloud IaaS providers in the world with big number of users and, sadly, big vulnerability in their service. Problem in updating security patches for their cloud servers might have contributed to the leaks of credit card information, trade secrets that occur frequently in recent years. It’s time for attitude towards security for cloud servers to be changed. Cloud computing is different from conventional world in this, being connected to the Internet right after it is “born”, rather than being fully patched before saying hello to the world. Updating operating system is just a single issue which can be solved with a patch, but the flaw in awareness can lead to a bunch of much more serious issues. We are carrying out further investigation and will provide further information on the incident if any.
Below is the demonstration of the attack on a cloud server by Amazon:
Ngo Tuan Anh
Vice President of Internet Security