Hackers Sneak Back into AWS for DDoS Launch Hub

Last Friday, Kaspersky Lab researcher Kurt Baumgartner reported that Amazon’s Elastic Cloud Computing division was suffering from a highly sophisticated attack by a group of unknown hackers, who had found a way to reverse engineer proof-of-concept code and create an easily-accessible backdoor for themselves into Amazon’s massive bank of available processing power.


Photo: Tashatuvango / Shutterstock

By exploiting the CVE-2014-3120 vulnerability through the Common Vulnerabilities and Exposure database, the culprits were able to launch a powerful set of Linux commands that could easily tear through security measures and give them administrative privileges over a frightening number of CPUs on the company’s behalf.

“From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks,” Baumgartner wrote. “The attackers re-purpose known CVE-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.”

Of course, AWS themselves are no stranger to the DDoS games, as much of their computing power has been “borrowed” in the past by hacker rings who have run the numbers of their operations, and found it to be a significantly cheaper investment to sign up for a legitimately frightening chunk of servers with the online retailer rather than zombify hundreds or thousands of independent machines on their own.

Amazon has been battling this problem for years, and until recently had no viable way to verify the identity of those who subscribed to its cloud service and occupied space on their servers outside of an email address and maybe a phone number if they were purchasing an especially large number of racks without any references.

Hackers prefer outsourcing to companies like Amazon due to their gargantuan size and relative inability to vet anyone who might want to use the cloud provider for more malicious reasons than most. Their organizations can slip in unnoticed, set up shop, and run DDoS attacks for upwards of two weeks before Amazon catches on, by which time the ring has already made their money back in spades and ditched all the account info that was used to launch the campaign in the first place.

Amazon has assured users of the EC2 service that any data compromised or lost during the attack will be recovered through a series of safeguards designed to protect against this exact type of encounter, and that any websites affected by a DDoS on their behalf would be compensated for whatever was lost in the time their sites spent crushed under the might of the AWS infrastructure.

“The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers,” Baumgartner wrote. “The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.”