Magnets to Adversaries—An Analysis of the Attacks on Public Cloud Servers

Abstract

Security adversaries are always constantly looking for targets to exploit. The mechanism of exploitation used by security adversaries varies significantly. Many focus on easy compromises as mere pivots to extend their attacks from these exploited systems to continue accomplishing their original goals. The cloud environment is a highly susceptible target for adversaries and provides a solid mechanism for observing adversary behavior. The sheer volume of attacks on the cloud provides insights into the attacker’s objectives and attack patterns, which can be leveraged for protecting infrastructure. This work deep dives into the practices used by adversaries on the commonly exposed protocols in the Amazon Web Services (AWS), Microsoft Azure (Azure), Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) platforms. A robust honeypot model is documented that compares attacker behavior across various ports and protocols running in multiple cloud environments. This work illustrates that adversary activity is highly versatile in the public cloud environment, with an average of 700 new and unique IP addresses found attacking honeypot infrastructure daily. Further, this article illustrates the security safeguards a typical organization can leverage to mitigate the threats from these adversaries constantly probing insecure targets on the cloud platform.