Jens Frieß, National Research Center for Applied Cybersecurity ATHENE and Technische Universität Darmstadt; Tobias Gattermayer, National Research Center for Applied Cybersecurity ATHENE and Fraunhofer Institute for Secure Information Technology SIT; Nethanel Gelernter, IONIX; Haya Schulmann, Goethe-Universität Frankfurt and National Research Center for Applied Cybersecurity ATHENE; Michael Waidner, National Research Center for Applied Cybersecurity ATHENE and Technische Universität Darmstadt and Fraunhofer Institute for Secure Information Technology SIT
Recent works showed that it is feasible to hijack resources on cloud platforms. In such hijacks, attackers can take over released resources that belong to legitimate organizations. It was proposed that adversaries could abuse these resources to carry out attacks against customers of the hijacked services, e.g., through malware distribution. However, to date, no research has confirmed the existence of these attacks.
We identify, for the first time, real-life hijacks of cloud resources. This yields a number of surprising and important insights. First, contrary to previous assumption that attackers primarily target IP addresses, our findings reveal that the type of resource is not the main consideration in a hijack. Attackers focus on hijacking records that allow them to determine the resource by entering freetext. The costs and overhead of hijacking such records are much lower than those of hijacking IP addresses, which are randomly selected from a large pool.
Second, identifying hijacks poses a substantial challenge. Monitoring resource changes, e.g., changes in content, is insufficient, since such changes could also be legitimate. Retrospective analysis of digital assets to identify hijacks is also arduous due to the immense volume of data involved and the absence of indicators to search for. To address this challenge, we develop a novel approach that involves analyzing data from diverse sources to effectively differentiate between malicious and legitimate modifications. Our analysis has revealed 20,904 instances of hijacked resources on popular cloud platforms. While some hijacks are short-lived (up to 15 days), 1/3 persist for more than 65 days.
We study how attackers abuse the hijacked resources and find that, in contrast to the threats considered in previous work, the majority of the abuse (75%) is blackhat search engine optimization. We also find fraudulent certificates and stolen cookies. We cluster the abuse resources and abuse content to identify about 1,800 individual attacking infrastructures.
NSDI '24 Open Access Sponsored by
King Abdullah University of Science and Technology (KAUST)
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Jens Frie{\ss} and Tobias Gattermayer and Nethanel Gelernter and Haya Schulmann and Michael Waidner},
title = {Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms},
booktitle = {21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24)},
year = {2024},
isbn = {978-1-939133-39-7},
address = {Santa Clara, CA},
pages = {1977--1994},
url = {https://www.usenix.org/conference/nsdi24/presentation/friess},
publisher = {USENIX Association},
month = apr
}
