I detect and analyze a wide range of attacks on web servers, and as you probably know, the people orchestrating the attacks are quite good at hiding in the shadows and using many layers of obfuscation to stay anonymous.
These can be botnets / previously hacked servers, proxies, TOR routing, VPNs, and virtual machines on cloud services (usually created with stolen IDs), to name a few.
Is all that necessary? According to a recent interaction with a major cloud service provider, I am starting to doubt that attackers even need to bother with anything but the last point.
All of the major cloud providers, and the majority of the smaller scale cloud services, have a portal that allows you to report abuse of their services. When you sign up for any of them, they make it clear that doing any malicious activity is a big no-no and will result in consequences. Reassuring, right?
After discovering a specific IP of a server that was responsible for multiple attacks on several of my clients, I realized that this was not some temporary ghost VPC, it was a consistent and nefarious server hosting payloads to infect and control remote machines, hosted on a major cloud provider. “Wow, brazen of them to keep the same path of attack live for so long”, I thought to myself after seeing the same attack and origin over and over. I reckon this one is worth reporting, since they seem to be lingering on the same machine.
So, I access the abuse reporting portal for the cloud provider, and fill out the form with very specific details of the IP, type of attack, payload samples, honeypot postmortems… more than enough details to terminate the service to that particular VPC.
The response I received was shocking. It was succinct and clear, and boiled down to “Not our problem”. They claim that they are not responsible for doing anything, since the attacks were coming from someone using their services.
“Wait, what?” … I obviously knew that it is someone using their services (since I reached out to them directly), but they are clearly malicious, and I gave them all the details to investigate and terminate the hosts responsible for multiple attacks. Is that not the point of reporting the abuse? They explicitly mentioned that they would do absolutely nothing.
Stunned by the sheer laissez-faire nature of their response, I sent a cheeky reply:
“Does this mean that your company is giving the green light for users to use your platform for malicious activities, since you will refrain from taking any action on such activities?”
… Unsurprisingly, no response was received, and my ticket was closed.
I haven’t bothered reporting cloud hosts in the past since they disappear as fast as they appear, but I wanted to raise the alarm that at least one of the major cloud providers will take zero action when abuse is reported, essentially setting the stage for anyone to spin up evil machines and run rampant until the targets detect and block them. How depressing.
It really does seem that as long as the credit card charge posts, the provider will completely look the other way, even after receiving a thorough and direct report.
If you have had a similar or opposite experience, please reach out, as I would like to gather more statistics, and it would give me hope if someone has a contradictory story.
