Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms
Jens Frieß, Tobias Gattermayer, Nethanel Gelernter, Haya Schulmann, Michael Waidner
TL;DR
This work provides the first large-scale empirical study of real-life abuse of dangling cloud resources tied to dangling DNS records. It develops a longitudinal, multi-source methodology to detect abuses and applies it to a three-year dataset covering 12 cloud platforms, identifying 20,904 hijacks across 219 TLDs. The findings show attackers prioritize cheap, text-identifiable resources and that blackhat SEO accounts for about 75% of abuse, with limited malware distribution and notable exploitation of certificate issuance via free CAs. The study offers concrete mitigations for cloud providers, including restricting public visibility of resource names, purging stale DNS entries, and leveraging Certificate Transparency, while highlighting the broader applicability of the approach to other third-party services.
Abstract
Recent works showed that it is feasible to hijack resources on cloud platforms. In such hijacks, attackers can take over released resources that belong to legitimate organizations. It was proposed that adversaries could abuse these resources to carry out attacks against customers of the hijacked services, e.g., through malware distribution. However, to date, no research has confirmed the existence of these attacks. We identify, for the first time, real-life hijacks of cloud resources. This yields a number of surprising and important insights. First, contrary to previous assumption that attackers primarily target IP addresses, our findings reveal that the type of resource is not the main consideration in a hijack. Attackers focus on hijacking records that allow them to determine the resource by entering freetext. The costs and overhead of hijacking such records are much lower than those of hijacking IP addresses, which are randomly selected from a large pool. Second, identifying hijacks poses a substantial challenge. Monitoring resource changes, e.g., changes in content, is insufficient, since such changes could also be legitimate. Retrospective analysis of digital assets to identify hijacks is also arduous due to the immense volume of data involved and the absence of indicators to search for. To address this challenge, we develop a novel approach that involves analyzing data from diverse sources to effectively differentiate between malicious and legitimate modifications. Our analysis has revealed 20,904 instances of hijacked resources on popular cloud platforms. While some hijacks are short-lived (up to 15 days), 1/3 persist for more than 65 days. We study how attackers abuse the hijacked resources and find that, in contrast to the threats considered in previous work, the majority of the abuse (75%) is blackhat search engine optimization.