14 DAY TRIAL // Security researchers from Bkav warn that many cloud customers are vulnerable to cyberattacks because their services are running unpatched versions of Windows Server. With auto update disabled, some of them haven’t been patched in years.
Experts started investigating cloud environments after one of their customers using Amazon EC2 noticed traces of malware on his server. Upon a closer investigation, researchers discovered that the service was running Windows Server 2003.
Windows Server 2003 still receives security updates from Microsoft. The problem was that auto updates were turned off and the last patches were applied in October 2009, making the server highly vulnerable.
To test their findings, experts exploited MS12-020, a critical remote desktop vulnerability that can be leveraged for remote code execution. The security hole was patched by Microsoft in the spring of 2012, but as the server wasn’t updated since October 2009, the vulnerability could have been exploited.
Microsoft’s cloud services have auto update enabled, so the installations are more secure. However, there are other cloud providers, like HP and GoGrid, that also have auto update disabled, leaving customers vulnerable to cyberattacks.
In the case of HP’s Public Cloud, the last patches were applied in July 2013. Server installations from GoGrid were last updated in April 2012.
MS12-020 is just one of the many vulnerabilities that can be exploited by cybercriminals. Over the past years, Microsoft has released tens or maybe hundreds of security bulletins for various versions of Windows Server operating systems.
However, if the automatic update feature is disabled and customers neglect this aspect, they can end up handing all their valuable data over to cybercriminals.
Experts believe that hackers could be scanning the cloud provider’s IP ranges in search for vulnerable installations which they can easily breach.
“Amazon, HP, GoGrid are among the biggest cloud IaaS providers in the world with big number of users and, sadly, big vulnerability in their service. Problem in updating security patches for their cloud servers might have contributed to the leaks of credit card information, trade secrets that occur frequently in recent years,” explained Ngo Tuan Anh, Bkav VP of Internet Security.
“It’s time for attitude towards security for cloud servers to be changed. Cloud computing is different from conventional world in this, being connected to the Internet right after it is ‘born’, rather than being fully patched before saying hello to the world.”
Update. Bkav tells us that Amazon has fully addressed the security issue. In the case of HP and GoGrid, the issue remains unresolved.
Check out the proof-of-concept video on how to exploit vulnerabilities on Amazon EC2:
