Data Security

Be careful: Your dedicated server in the cloud could have a malware installed by previous owners

Hackers implant backdoors on ‘Infrastructure as a Service’ hardware servers

Network
security
and
ethical hacking specialists from the International Institute of Cyber Security
report the finding of a new vulnerability that allows hackers to leave backdoors
in the firmware of physical servers that are reassigned to other users of cloud
services, leaving new users vulnerable to multiple hacking activities.

Some software developers choose to hire what is
known as ‘Infrastructure as a Service’ (IaaS); this option allows them to
easily stagger cloud-based applications without having to share their hardware
with other users.

The problem is that, according to specialists
in network security, once a company decides to stop using this hardware, these
servers can be restored to their factory settings and reassigned to other users,
which exposes them to firmware vulnerabilities that can persist even after the
restoring process.

“Although these servers are used by only one
client at a time, this hardware could be used multiple times subsequently, even
by dozens of users, who have direct access and total control over the servers”,
commented the experts.

Network security experts discovered that a
malicious hacker can deploy backdoors in the firmware of the shared
infrastructure of these services in the cloud. The backdoor can survive the
server reassignment process performed by the service providers. To be precise,
attackers could compromise the servers by adding backdoors and malicious code
to the firmware of a physical server, or on their Baseboard Management Controller
(BMC), which requires minimal hacking skills.

The BMC is a component developed by third
parties to allow remote management of a server that allows the reinstallation
of the operating system, problem solving, among other management tasks.

If this kind of backdoor is successfully
deployed on a physical server, it may persist despite customer reassignments
made by the vendor, so to remove the backdoor vendors must physically connect
to the chips to reflash the firmware, a non-practical task for service
providers.

If the vulnerability (nicknamed Cloudborne) is
exploited, several scenarios of attacks could be presented, such as:

  • Permanent
    denial
    of service
    (PDoS)
  • Stealing
    or interception of application data executed on the compromised server
  • Running
    malware or disabling the running application

Although the research was conducted by testing
IBM’s SoftLayer servers, the specialists ensure that other companies that
provide this kind of services are also vulnerable to this attack vector.

One way to mitigate the risks is for providers
of these services to perform the firmware upgrade properly before reassigning
their physical infrastructure to other customers.

To Top

Pin It on Pinterest

Share This