Runaway self-replicating malware on the public cloud
This is a short post to capture an idle thought I had; what if a malware could spread itself by automated provisioning, using public cloud APIs, to creating new machines, infecting them as it goes, using that to “scale the malware” until all resources or budgets on that account are used up?
I’m sure this isn’t an original idea — but I did have a very quick search and didn’t turn up anything interesting yet. Nevertheless if it’s been described before or not, it’s an interesting brain-tickler.
How could this work?
Imagine a virtual machine gets infected with malware using any of the traditional attack vectors; unsecured service, unchecked patches/files that have been uploaded, whatever. Then imagine that malware can make sure of lots of compute power — it could use the public cloud APIs to provision many more instances of itself. Credentials could be obtained by policies set on virtual machines (something you can certainly do in AWS and Azure — allowing all traffic from a VM to be “trusted” to use an API), or just by a careless administrator leaving their credentials saved on disk.
With those credentials, the malware could easily find bits about it’s environment, using, for example, cloud-init metadata servers. It could use that information to provision another VM instance, and then as soon as it’s provisioned, infect that machine with itself.
What’s could that malware do?
Use cases for such malware could be cryptocurrency mining on someone else’s cloud costs, it could be used to spawn a colossal botnet with tremendous scale, even using services from the public cloud like elastic, distributed filesystem, or anything else where the large compute, network and storage provided by the public cloud could be put to misuse.
Obviously the hyperscale public clouds all have security as a #1 priority, with mitigations to limit the scope of such malware. There are good precautions and procedures to make sure that administrators don’t get locked out, and can regain control, and maybe even recoup costs should they be attacked. Nevertheless, even if the malware existed on machines that only existed for 24 hours, with access to that kind of scale and automated provisioning it could still be enough to cause considerable damage.
