Papers
Topics
Authors
Recent
Detailed Answer
Quick Answer
Concise responses based on abstracts only
Detailed Answer
Well-researched responses based on abstracts and relevant paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses
Gemini 2.5 Flash
Gemini 2.5 Flash 49 tok/s
Gemini 2.5 Pro 53 tok/s Pro
GPT-5 Medium 19 tok/s Pro
GPT-5 High 16 tok/s Pro
GPT-4o 103 tok/s Pro
Kimi K2 172 tok/s Pro
GPT OSS 120B 472 tok/s Pro
Claude Sonnet 4 39 tok/s Pro
2000 character limit reached

Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms (2403.19368v1)

Published 28 Mar 2024 in cs.NI and cs.CR

Abstract: Recent works showed that it is feasible to hijack resources on cloud platforms. In such hijacks, attackers can take over released resources that belong to legitimate organizations. It was proposed that adversaries could abuse these resources to carry out attacks against customers of the hijacked services, e.g., through malware distribution. However, to date, no research has confirmed the existence of these attacks. We identify, for the first time, real-life hijacks of cloud resources. This yields a number of surprising and important insights. First, contrary to previous assumption that attackers primarily target IP addresses, our findings reveal that the type of resource is not the main consideration in a hijack. Attackers focus on hijacking records that allow them to determine the resource by entering freetext. The costs and overhead of hijacking such records are much lower than those of hijacking IP addresses, which are randomly selected from a large pool. Second, identifying hijacks poses a substantial challenge. Monitoring resource changes, e.g., changes in content, is insufficient, since such changes could also be legitimate. Retrospective analysis of digital assets to identify hijacks is also arduous due to the immense volume of data involved and the absence of indicators to search for. To address this challenge, we develop a novel approach that involves analyzing data from diverse sources to effectively differentiate between malicious and legitimate modifications. Our analysis has revealed 20,904 instances of hijacked resources on popular cloud platforms. While some hijacks are short-lived (up to 15 days), 1/3 persist for more than 65 days. We study how attackers abuse the hijacked resources and find that, in contrast to the threats considered in previous work, the majority of the abuse (75%) is blackhat search engine optimization.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (18)
  1. Zombie awakening: Stealthy hijacking of active domains through dns hosting referral. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1307–1322, 2020.
  2. The circle of life: A large-scale study of the iot malware lifecycle. In USENIX Security Symposium, pages 3505–3522, 2021.
  3. Cloud strife: Mitigating the security risks of domain-validated certificates. In Internet Society Symposium on Network and Distributed System Security (NDSS), 2018.
  4. Study on Domain Name System (DNS) abuse. Publications Office of the European Union, 2022.
  5. A large-scale analysis of the security of embedded firmwares. In 23rd USENIX Security Symposium (USENIX Security 14), pages 95–110, 2014.
  6. An internet-wide view of internet-wide scanning. In 23rd USENIX Security Symposium (USENIX Security 14), pages 65–78, 2014.
  7. Zmap: Fast internet-wide scanning and its security applications. In Usenix Security, volume 2013, 2013.
  8. Lzr: Identifying unexpected internet services. In USENIX Security Symposium, pages 3111–3128, 2021.
  9. Security analysis on practices of certificate authorities in the https phishing ecosystem. ASIA CCS ’21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pages 407–420, May 2021.
  10. All things considered: an analysis of iot devices on home networks. In Proceedings of the 28th USENIX Conference on Security Symposium, pages 1169–1185, 2019.
  11. Tranco: A research-oriented top sites ranking hardened against manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019, February 2019.
  12. All your dns records point to us: Understanding the security threats of dangling dns records. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1414–1425, 2016.
  13. Cloudy with a chance of breach: Forecasting cyber security incidents. In 24th USENIX security symposium (USENIX Security 15), pages 1009–1024, 2015.
  14. Ethical considerations in network measurement papers. Communications of the ACM, 59(10):58–64, 2016.
  15. Tranco: A research-oriented top sites ranking hardened against manipulation. arXiv preprint arXiv:1806.01156, 2018.
  16. Can i take your subdomain? exploring same-site attacks in the modern web. In USENIX Security Symposium, pages 2917–2934, 2021.
  17. Towards a complete view of the certificate ecosystem. In Proceedings of the 2016 Internet Measurement Conference, pages 543–549, 2016.
  18. Detecting and measuring security risks of hosting-based dangling domains. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 7(1):1–28, 2023.

Summary

  • The paper identifies 20,904 hijacked instances using DNS and content analysis, uncovering significant blackhat SEO abuses.
  • It employs a longitudinal data approach to distinguish malicious modifications from legitimate cloud resource configuration changes.
  • The study recommends improved resource naming policies and increased monitoring to mitigate financially motivated hijacking attacks.

Cloud Resource Hijacking and Its Implications

The paper "Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms" explores the phenomenon of hijacking released digital resources on cloud platforms, known as "dangling resources," and its implications for cybersecurity. This research unveils, for the first time, real-world cloud resource hijacks, offering insights into the methodologies and motivations behind these attacks.

Identification and Analysis of Hijacked Cloud Resources

The paper illustrates that cyber attackers prioritize the hijacking of cloud resources that can be easily registered using user-entered freetext names rather than pursuing randomly allocated IP addresses. This preference is financially driven, focusing on resources that are cost-effective to hijack. Detecting such hijacks is challenging due to the difficulty in distinguishing between malicious and legitimate changes in resource configurations. Figure 1

Figure 1: Monitored vs. hijacked cloud-hosted domains over time.

The researchers developed an approach to analyze diverse data sources to separate malicious modifications from legitimate ones effectively. They successfully identified 20,904 instances of hijacked cloud resources, most of which were abused for blackhat search engine optimization rather than direct malware distribution.

Methodologies for Detection and Abuse Analysis

The paper proposes a methodology involving longitudinal data collection and analysis of changes in DNS records and website content to detect abuses. Resources such as CNAME records pointing to cloud endpoints served as key indicators of hijacks. The paper emphasizes the significance of content changes and keyword analysis for identifying abuse patterns. Figure 2

Figure 2

Figure 2: \% of detected hijacks with extracted signatures by type.

Types of Attacks and Implications

One of the significant findings is the prevalence of blackhat SEO abuses, which constituted 75% of all detected abuses. Attackers exploit hijacked domains with high reputational scores to boost the ranking of malicious content in search engines. The paper also identifies fraudulent certificates and stolen cookies as part of attackers' toolsets, with a noticeable lack of direct malware hosting, contradicting earlier assumptions about dangling resource threats.

Attacker Motivation and Resource Characteristics

The research underscores that attackers are financially motivated, favoring resources on cloud platforms with user-nameable identifiers. This allows attackers to take control of highly valuable domain names with minimal effort compared to efforts required for IP address takeovers. Figure 3

Figure 3: Rank of SLDs and associated hijacked subdomain counts.

The paper finds that attackers use these hijacked resources mainly for SEO and traffic redirection to generate revenue through advertising, leveraging the reputation of hijacked domains. The analysis also illustrates the infrastructure used by attackers, revealing clusters of coordinated hijack campaigns often involving thousands of domains.

Mitigation and Future Implications

The authors recommend that cloud platforms should mitigate risks by disallowing the re-registration of released resource names and improving monitoring for changes. They also propose that monitoring Certificate Transparency logs could help in early detection of hijacks, providing organization alerts to domain owners.

In conclusion, this paper sheds light on an essential dimension of cybersecurity concerning cloud resources, outlining the real-world abusive practices and offering a framework for mitigation and further research in this field. The research signifies a call to action for both cloud service providers and domain owners to enhance their security measures and ensure better management of released resources.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets