Disclaimer: The copyright of this report belongs to Threat Hunter Intelligence Center and is protected by law. Anyone who reprints, extracts, or uses the text or viewpoints of this report should indicate "Source: Threat Hunter". Those who violate the above statement will be investigated for relevant legal responsibilities.
1. Background of the report
Since Amazon released AWS in 2005, cloud computing has experienced more than ten years of development and has been widely used in various fields. global market.
In China, Alibaba Cloud, established in 2009, has led the trend of cloud computing. After completing a certain amount of technology accumulation and customer popularization education, my country's cloud computing industry has entered a relatively long period of rapid growth. Promoted, the scale of my country's cloud computing market has expanded rapidly, and the network effect and scale effect have been significantly enlarged, and it has become a new high-speed growth point of my country's IT industry.
However, while various public cloud vendors are striving to expand their territories and build their own cloud computing empires, the compliance issues of cloud assets are becoming increasingly prominent:
On the one hand, more and more Internet companies and traditional companies rely on the services provided by public cloud vendors to conduct business or carry out digital transformation. The digital assets of enterprises are being concentrated on the cloud, and the security and compliance of assets on the cloud is particularly important. To some extent, public cloud vendors have formed a responsibility-sharing relationship with cloud companies: cloud companies must rely on the security capabilities provided by public cloud vendors at the infrastructure, platform, and software levels to build a security system for cloud services. Public cloud vendors also assume more responsibilities and obligations than traditional IDC vendors and network operators in terms of security and compliance, and the output of security and compliance capabilities has become one of their core competitiveness.
On the other hand, the openness, convenience, diversity, and cost-effectiveness of cloud computing itself, as well as the efforts of public cloud vendors in terms of security, not only attract normal enterprise users, but also attract network black and gray industry practitioners: More and more Internet black and gray industries purchase public cloud services to place websites and servers used for attacks, fraud, and traffic drainage in the cloud, further reducing costs and improving efficiency. At the same time, it can also use the security capabilities provided by the public cloud to fight against enterprises and security vendors. This forces public cloud vendors to strengthen their ability to audit compliance with cloud assets, to promptly and accurately identify violations and abuses of cloud assets and services, to strengthen management and control over public cloud content and behavior security, and to take corresponding responsibilities. social responsibility.
In view of this, Threat Hunter, relying on its black and gray production and traffic deployment and control capabilities, combined with the malicious website perception data provided by its strategic partner Kingsoft Internet Security, conducted in-depth research and analysis on the compliance status of assets on the public cloud. Through a large amount of first-hand data , formed the "Domestic Public Cloud Assets Compliance Status Report (First Half of 2018)", which aims to clarify the current situation and problems faced by domestic public clouds in the field of asset compliance audits on the cloud, and serve as a guide for relevant national regulatory agencies and public cloud manufacturers for reference.
2. Basic concepts
1. Basic concepts and terms involved in the report
(1) Crash stuffing: Crash stuffing attacks refer to hackers collecting leaked user account information on the Internet, generating corresponding dictionary tables, and then using the same registration habits of some users (that is, using the same username and password) to try to log in other websites or applications to obtain newly exploitable account information.
(2) Crawler: A crawler, also known as a web spider, is a program or script that automatically grabs specified information on the Internet according to established rules. It can be divided into web crawlers that traverse and crawl web hyperlinks and construct specific API interface requests. There are two types of data interface crawlers.
(3) Honeypot: Honeypot refers to a software system that is used as an intrusion bait to lure hackers to attack and collect relevant evidence information. According to the definition of The Honeynet Project, a honeypot is a security resource whose value lies in being detected, attacked or compromised.
(4) Phishing: Phishing is a social engineering attack method that constructs deceptive e-mails or fake Web sites to attract victims to submit sensitive information, or deliver and implant malicious programs to targets. Used to carry out cyber fraud and network intrusion. According to the attack vector, phishing can be divided into website phishing, email phishing, SMS phishing, IM social phishing, mobile APP phishing and other types.
(5) DDoS attack: Distributed denial of service attack. Generally speaking, DDoS attacks will use "broilers" to initiate a large number of legitimate requests to the target website in a short period of time to consume and occupy the target's network and host resources, forcing it to fail to provide services normally.
(6) Botnet: Botnet is a network composed of attackers spreading bots to control a large number of computers for malicious purposes, and through one-to-many command and control channels. It should be noted that this network is not a network with a topology in the physical sense.
(7) Dark Web: Dark Web (Dark Web) refers to those networks that can only be connected with special software, special authorization, or special settings on the computer. The contents of the Dark Web cannot be found using general browsers and search engines. .
2. Data sources and sampling instructions
Data Source Description
The main data sources for this report include:
(1) Content data; illegal/malicious websites and their content data obtained through targeted monitoring means (Yunqing platform).
(2) Sample data: samples of black and gray production tools obtained through broad-spectrum monitoring means (TH-Karma platform).
(3) Traffic data: Black and gray attack traffic data obtained through honeypot monitoring means (TH-Karma platform).
(4) Black IP/domain name data: Black IP/domain name data obtained through third-party cooperation and honeypot monitoring (Yunqing platform and TH-Karma platform).
(5) Other types of data: Cloud host security-related data obtained through other third-party cooperation and monitoring means, including but not limited to the above-mentioned data types.
Data Sampling Description
The data sampling in this report mainly adopts the following methods:
(1) Keyword sampling: According to specific keywords and keyword combinations, extract data subsets related to specific analysis objects or specific analysis scenarios from the complete set of data. Mainly used for data statistics or trend analysis.
(2) Similarity sampling: According to the similarity of text or sample data, a subset of data with higher similarity is extracted from the full set of data. Mainly used for data classification statistics or case analysis.
(3) Random sampling: simple random sampling of unknown types or content data, the sampling ratio is determined according to the specific analysis scenario, mainly used for intelligence clue discovery or keyword verification.
(4) Stratified sampling: Divide the known tool/event data into several subsets according to the established labeling rules, and randomly select part of the data in each subset for analysis. The sampling ratio is determined according to the specific analysis scenario and is mainly used for cases. Analysis or keyword verification.
We believe that the incomplete data samples collected by us meet certain data sampling criteria in terms of probability. Based on the analysis results of relevant data samples, there will not be too much deviation from the actual situation in trend analysis and classification statistics. For deviations caused by limited data acquisition channels, changes in the data itself, restrictions on sampling probability, and the impact of sample noise, we will use manual experience to make corrections, and we will mark this part of the data.
3. Cyber attack threats against public cloud
Based on Threat Hunter's own black and gray attack traffic monitoring data, we specifically extracted various attack data targeting public clouds. It can be seen from the above that during the first half of 2018 (January-June 2018), cyber attacks targeting cloud applications and cloud hosts of major domestic public Database attacks are the main focus, and there are still a large number of business gray products targeting resources such as cloud hosts, domain names, and mailboxes.
1. The total number of attacks is on the rise
By counting the number of related attacks on a monthly basis, we can see that after excluding the influence of data sample deviation caused by large-scale corporate marketing activities during the Spring Festival in February, the number of attacks on public clouds by black and gray products shows a clear upward trend .
2. Alibaba Cloud and Tencent Cloud suffered the most attacks
Among the domestic public cloud vendors, the number of attacks against Alibaba Cloud accounted for the highest proportion, reaching 55.32%, and the number of attacks against Tencent Cloud ranked second, accounting for 27.34%, followed by UCLOUD, Huawei Cloud, Qingyun, Baidu Cloud, Kingsoft Cloud, JD Cloud. This is basically the same as the market share ranking of domestic public cloud vendors (here, the subtle differences in market share of some public cloud vendors are ignored).
It is worth noting that if the proportion of attacks is counted on a monthly basis, the proportions of Alibaba Cloud and Tencent Cloud show a slight upward trend in most months (excluding the influence of data sample deviation during the Spring Festival in February), which is also consistent with the public cloud market share. The centralization trend is basically the same.
3. More than 50% of attacks are done by robots
By extracting behavioral features from attack traffic, we found that more than 50% of attacks were performed by robots. The vast majority of these bots are used to perform Internet scanning or exploit actions, most of which (more than 70%) are the most common batch port scanners, and about 20% are derived from automated vulnerability scanning and exploitation tools for specific targets (such as Struts2-045/048 series of vulnerabilities), and about 10% should be related to the Internet asset detection systems of national regulatory agencies, security vendors, and scientific research institutions. In addition, there are very few robots that are registered machines for public cloud enterprise mailboxes.
In addition, we also found an interesting phenomenon that about 30% of the traffic of automated scanning or exploit robots points to Ashburn, Virginia, USA, where the Amazon AWS cloud computing campus is located, and the trend is increasing month by month. We infer that due to the stricter domestic network security supervision, part of the infrastructure for black and gray production activities is gradually being transferred abroad.
4. Credential stuffing attacks are on the rise overall
In addition to automated scanning or vulnerability exploitation, 14.36% of attacks were credential stuffing attacks. Counting the number of such attacks on a monthly basis shows a clear upward trend (excluding the influence of data sample deviation during the Spring Festival in February).
In addition, we also found that about 30% of credential stuffing attacks used new dictionary databases with a high degree of overlap, which is suspected to be related to several underground transactions of social engineering databases that we monitored in the first half of 2018. Considering that the time delay from data leakage to outflow to the darknet, Q group, Telegram group, etc. for small-scale transactions, and then to large-scale dissemination is generally about three to six months, we can infer that by the second half of 2018, the collision Library attacks will further increase.
5. Gray production of public cloud business is still active
Through the analysis of the black and gray production data collected by the "TH-Karma" platform, we found that the wool gathering activities for various preferential activities of the public cloud are still active. The typical ones are: sublet and resell discounted student machines of Alibaba Cloud, Tencent Cloud and Meituan Cloud in batches, or pass the real-name authentication of Alibaba Cloud and Tencent Cloud domain names in batches, or register public cloud enterprises in batches through email registration machines mailbox and so on. We believe that such activities have formed a relatively complete "production-sales-use" ash production chain, providing infrastructure support for other black ash production activities.
6. Supplementary instructions for data analysis
Limited by the channel of data acquisition and the impact of sample noise, our monitoring channel has a low capture rate of DDoS attacks and crawler attacks, resulting in the number of these two types of attacks in the statistical results being lower than our experience expectations, unable to Therefore, we will not analyze it in detail in this report. However, judging from the black and gray transaction data we obtained, the number of DDoS attack empty orders against Alibaba Cloud and Tencent Cloud servers in the past six months (that is, no one accepts the order or the order cannot be completed) has increased significantly, which reflects the side of Alibaba Cloud. , Tencent Cloud and other cloud vendors have achieved certain results in anti-DDoS efforts.
4. Cyber attack threats from public cloud
Also based on Threat Hunter's own black and gray attack traffic monitoring data, we specifically extracted various attack data from the public cloud. It can be seen that in the first half of 2018 (January-June 2018), there was no significant increase in related network attack behaviors, and the overall trend was stable. The threat types were mainly robots and credential stuffing, and the attack behavior at the business level increased significantly. .
1. The total number of attacks tends to be stable as a whole
By counting the number of related attacks on a monthly basis, we can see that after excluding the influence of data sample deviation caused by large-scale corporate marketing activities during the Spring Festival in February, the number of attacks launched from public cloud hosts did not increase significantly. Yu stable.
2. Alibaba Cloud and Tencent Cloud have the most attacks
Among the domestic public cloud vendors, the number of attacks launched from Alibaba Cloud hosts accounted for the highest proportion, reaching 60.65%, and the number of attacks launched from Tencent Cloud hosts ranked second, accounting for 23.51%, followed by Kingsoft Cloud, UCLOUD, and Huawei Cloud. , Baidu Cloud, JD Cloud.
If the proportion of attacks is calculated on a monthly basis, the proportions of Alibaba Cloud and Tencent Cloud show a certain upward trend in most months (excluding the influence of data sample deviation during the Spring Festival in February). The reason, we believe, is related to a series of promotional activities of Alibaba Cloud and Tencent Cloud in the first half of 2018: cloud host resources such as the aforementioned student machines and 6 yuan machines for old customers have been more and more black and gray It is used to launch external attacks.
3. The proportion of registered robots has increased
By extracting behavioral features from attack traffic, we have subdivided and counted the types of robots that account for 54.73% of all attack types. The results show that, unlike in 3.3, where scanning or exploit tools account for the vast majority of robot types, more than 30% (31.84%) of the robot behaviors initiated from public cloud hosts are registered machines ( For example, mailbox registration machines, account registration machines, etc.), and nearly 10% (9.50%) are various cheat tools (such as red envelope cheats, game cheats, etc.). It can be seen that public cloud hosts are more cost-effective and safer than traditional IDC computer rooms, which makes black and gray industries that focus on cost and self-protection migrate some service businesses to public clouds.
4. More than 30% of attacks are credential stuffing and will continue to grow
At the same time, we also found that more than 30% (33.67%) of the attacks were credential stuffing attacks, and they showed a certain upward trend month by month (excluding the influence of data sample deviation during the Spring Festival in February). Combining the analysis results in Section 3.4 above, we can infer that by the second half of 2018, credential stuffing attacks launched from public cloud hosts will further increase.
5. Supplementary instructions for data analysis
Limited by data acquisition channels, our monitoring channels cannot accurately determine which of the cloud hosts used for external attacks are originally intended for black and gray attacks, and which are compromised hosts after being hacked, but based solely on DGA Judgment by domain name rules also has certain limitations, and the corresponding statistical results are far lower than our experience expectations. Therefore, this aspect is not analyzed in detail in this report.
5. Neglected content compliance issues on the cloud
Combining the malicious site perception data of Kingsoft Internet Security on the terminal and the black and gray production activity data collected by threat hunters, we found that, in addition to the above-mentioned various cyber attack threats, public cloud vendors also face serious content compliance issues on the cloud: A large number of malicious and illegal websites take advantage of the characteristics of convenient deployment, high cost performance and strong protection capabilities of the public cloud to build and carry out illegal activities such as online gambling, online pornography, phishing, online pyramid schemes, and embedded mining on the public cloud.
1. The proportion of online gambling on the cloud is the highest
The monitoring data in the first half of 2018 (January-June 2018) shows that among the malicious and illegal websites on the cloud, the proportion related to online gambling is the highest, as high as 75.38%. Especially affected by the World Cup in June, a large number of football betting websites were launched intensively in June, and a large number of normal websites on the cloud were implanted with dark links and pages with betting content in batches. It is expected that by the end of the World Cup in July, the proportion of online gambling will fall back to normal levels (estimated to be between 50% and 60%).
2. Internet pornography on the cloud is mostly intended to be fraudulent
Through data sampling analysis, we found that most of the online pornographic categories in the public cloud are related to online fraud activities. The general operation method is: first use advertisements, social software drainage, etc. to attract users to the website by using tempting videos or pictures, and then induce users to recharge, but most of them do not provide corresponding services, which is a typical network fraud. .
In order to avoid supervision, most of these websites use low-cost bulk domain names and cloud hosting resources, and randomly switch domain names and hosts every 1-3 days. This method of operation also appears in large numbers in phishing campaigns on the cloud.
3. There are various ways to play phishing on the cloud
Through statistics on illegal phishing content in various public clouds, we found that the most common counterfeit website types of phishing websites are: banking, games, e-commerce, P2P finance, and gambling.
Through the correlation analysis combined with the monitoring data of black and gray production and trading channels, we found that bank phishing websites have the following two characteristics: one is that they show a certain periodicity, and the other is that there are some bank accounts and personal privacy transactions in the underground black market. The relatively large correlation shows that most of the related activities are fixed gangs, and the active cycle is mostly about one month.
P2P finance is a type of phishing website that rarely appeared before, which is related to the continuous wealth management boom in recent years. Interestingly, we found that a small number of such phishing websites took advantage of the recent wave of P2P financial "thunderstorms" to lure people who want to recover their money through WeChat, QQ and forum rights protection groups to fill in personal information on fake websites, or It is further defrauding money.
Gambling phishing websites also surged due to the impact of the World Cup, and are expected to drop after the World Cup ends.
4. MLM has been banned repeatedly
Through data analysis, it is found that most of the online MLM sites on the cloud appear in the form of so-called "cash platforms", "online micro-businesses", "online part-time jobs", etc., and attract traffic to the corresponding MLM WeChat groups, QQ groups, forums or offline assembly.
It is worth noting that with the popularity of digital currency, online pyramid schemes that focus on emerging concepts such as "transaction is mining" are also emerging, and combined with some online fraud, many people have been lured into it.
Write at the end:
With the popularity of cloud computing, major cloud computing service providers also play an important role, and the ability to audit illegal content and business has become a standard capability of cloud computing service providers. In addition to the major cloud computing vendors' own investment, the linkage of the industry and the integration of the capabilities of third-party service providers are also improving the overall security audit efficiency. In the process of rapid changes in the Internet ecology, there is greater pressure on the iteration of the security system.