Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly

Researchers Create Legal Botnet Abusing Free Cloud Service Offers

Hack depends on scripts creating scores of unique email addresses and automating execution of email verification

Last week at the RSA Conference, a pair of researchers demonstrated how it was possible to legally create a botnet for free by abusing trial accounts made available by high-powered platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) offerings.

RSA Conference 2014
Click here for more articles about the RSA Conference.

"We were curious if we could build a botnet out of freely available cloud services," said Rob Ragan, senior security associate for Bishop Fox, who has been experimenting on that premise for the past several years with his colleague Oscar Salazar, security associate at Bishop Fox. "We started getting all these emails and alerts of, 'Here's a free Amazon EC2 box, there's free storage space, here's a free platform to develop and host your code.' We thought, 'Wow! That is a lot of computing power for free.'"

The question they asked themselves was how hard would it be to automate the process of signing up for an unlimited number of free accounts from these sites and then developing a central control system from which an attacker could potentially launch malicious activities. The answer: not hard at all.

"We were really easily able to get hundreds of boxes on certain providers and have a central way to launch things like massive port scans," Ragan says. "We also did a proof-of-concept on cryptocurrency or Bitcoin mining. If you're getting this free computing power and don't have the power bill from it, why not use that to generate mining? That would be a huge motivation for malicious threat actors using these platforms." The project was made possible through the development of a process to automate the creation of unique email accounts on free email services, and then special scripting to automate the process of clicking on email verification links sent to those accounts.

The researchers initially refined that process during a penetration test of a sweepstakes website in which they showed an attacker could game the drawing and up the chances of winning through exactly such a method.

The process of developing the botnet came with the usual kinks. For example, the researchers told an amusing story about scrambling in the middle of the night to code a "stop" mechanism to their automated system once they turned it on and saw it worked.

"We had basically just coded the start button, and then we thought, 'Uh, oh! How do we stop it?'" Salazar said. "We had to quickly figure out how to stop our botnet from getting away from us."

Much of the abuse the pair tested was made possible due to poor verification of users during the trial account creation process. Even when some services tried to limit accounts by limiting Internet access, the researchers were easily able to employ quick workarounds. Of the 150 different PaaS and IaaS sites the duo tested, two-thirds were not doing any CAPTCHAs, SMS verification, or credit card verification beyond simple email account verification.

According to Ragan, while these extra steps can also be worked around, cloud services still need to embrace them in order to make it more expensive for potential attackers to do exactly what they did. Not only is it a huge vulnerability for these service providers, but it is opening them up to huge bills from Amazon because, in many instances, these services are launching free Amazon EC2 boxes on behalf of trial accounts. That is computing power they service providers will have to pay for in these abuse cases.

This is likely how attackers will try to work the system given that Amazon has implemented strict authentication controls to prevent exactly such kinds of abuse. "You could just register accounts. It didn't require SMS, it didn't require credit cards -- you just needed a valid email address, and then you'd have access to free Amazon EC2 boxes," Salazar said. "Over the last couple of years, Amazon has really increased its security, and now it requires a credit card and SMS and email verification. So Amazon is putting a bunch of protection around its services, and now these other companies starting up are basically leasing EC2 boxes, but they're not putting the same protections in place. So you're basically getting free Amazon boxes through them on their dime."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.