← Back to Glossary

What is Cloud Abuse?

by Iwan Price-Evans on Security • May 27, 2022

Cloud abuse, network abuse, and web host abuse are descriptions of the legal or illegal abuse of legitimate cloud computing services.

Cloud abusers take advantage of blind spots in terms of service, flaws in business logic, and areas of cloud service usage where the rules of use are ambiguous. They will sign up for legitimate cloud services intending to use them for malicious purposes.

They may want to use the service to host a blatant attack such as a spam bot, or they may want to host a legitimate service at a low cost by circumventing usage limits.

Cloud abuse actors rarely take advantage of security control flaws because the host is not the target, their goal is to use the legitimate services of the cloud platform either maliciously or unscrupulously.

Cloud Abuse For Cyber Security Attacks

The virtual nature of cloud services makes them a target for cyber security threat actors. Virtual machines, hard drives, and data stores can all be purchased by creating free accounts with just a credit card number. Of course, this makes it easy for a cybercriminal to set up accounts with stolen data for malicious purposes.

Abusive actors will often perform bulk account creation of cloud services and then use those accounts to take advantage of free tier services. If one account is identified as malicious by the provider, they can simply switch to one of their other accounts or even to another cloud provider.

Abuse actors are always goal-oriented and often have multiple goals, called a blended threat. They can use more than one cloud platform to achieve those goals. For example, they may use one cloud service to host a spam bot that sends phishing spam, another to host the landing page for the phishing link, then another to receive the data submitted by the victims. These cloud applications are likely to be created within each cloud service provider's free tier.

Using multiple cloud platforms makes it harder for each cloud service provider to identify and categorize threat activity. In isolation, an application in a free tier service that's hosting a small website only serves a few pages, and receives a low volume of data, may go undetected as being part of a malicious campaign.

Network Abuse

Cyber attackers create cloud accounts to launch their activities from and often use VPNs when doing this. Their frequent use of multi-hop VPNs requires significant bandwidth, and so can quickly use up the network quota on a free tier account. Quota usage can serve as an indicator to service providers of malicious use.

Another type of cloud network abuse is using an account to send malicious traffic such as DDoS attacks or distributing malware. This is often done by controlling a network of bots called a botnet.

Account users who are not cybercriminals may want to abuse the service by identifying ways to bypass network quota usage.

Web Host Abuse

Cyber attackers can use cloud services to host malicious tools used for cyber attack scanning or reconnaissance. Abuse actors can also use cloud-based web hosts to create phishing websites, misinformation sites, or illegal material download sites.

Similar to network abuse, abusive account users may identify ways to circumvent data storage limits or user account limits to reduce their costs. They may even try to identify ways to take advantage of paid services while being on a free tier.

How To Prevent Cloud Abuse

Cloud service providers use abuse controls such as multi-factor authentication, VM isolation, network rules, monitoring, anomaly detection, blacklisting, and many more. However, abusers and criminals are constantly adapting their operations, and so real-time threat intelligence systems are ever more important in mitigating this threat landscape.

Does Snapt Help Prevent Cloud Abuse?

Yes. Snapt NovaSense detects cloud abuse and network abuse for hosting companies, public clouds, and ISPs, including spammers, data harvesters, and botnets using hosted infrastructure to attack others. NovaSense provides detailed reports of infected, compromised, and malicious hosts.

This allows abuse response teams to remove abusive hosts, reducing their compute and bandwidth usage and ensuring compliance as part of their anti-abuse strategy.