Security Experts:

Cloud-Hosted Botnet Controllers on the Rise: Report

The number of botnet controllers hosted in the cloud has spiked in recent months, data from international nonprofit organization Spamhaus reveals.

Cloud computing has become highly popular lately, and it appears that cybercriminals are also adopting it for their nefarious operations. Because of advantages such as low-cost and scalability, an increasing number of malicious actors are abusing legitimate services to deploy botnet command and control (C&C) servers, researchers say.

Starting in January 2017, several large botnet operators were found using cloud services from Amazon AWS (Amazon Web Services), with Google Compute Engine becoming increasingly popular as well.

A chart provided by Spamhaus shows that the uptick in the use of Amazon AWS for the hosting of botnet controllers started in November 2016 and reached its peak in January 2017. While the number of newly detected botnet controllers on these platforms has decreased, more and more instances of C&C servers hosted on Google Compute Engine have started to emerge.

Spamhaus has been considering only botnet controllers for the creation of the said chart, but warns that other fraudulent infrastructure, including payment sites for ransomware (TorrentLocker, Locky, Cerber etc) or malware distribution sites are also increasingly abusing Amazon and Google services.

“Neither Amazon nor Google are handling abuse reports about botnet controllers, malware distribution sites, and other types of criminal activity on their clouds in a timely manner. Both allow botnet controllers to remain online for weeks at a time, despite multiple abuse reports and reminders,” Spamhaus’ Thomas Morrison notes.

He also notes that Spamhaus has reached out repeatedly to both Amazon and Google to report these abuse issues, but that “no relevant response from either” has been received so far. The researcher also speculates that the root cause of this problem might be a weak or non-existent customer verification process. A weak Acceptable Use Policy, or a corporate culture and management not supporting of Abuse Desk policy enforcement might also contribute to the issue, Morrison notes.

Currently, the Spamhaus Block List (SBL), which is “a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail,” contains 159 items for and 53 addresses for

“We encourage Amazon and Google to take the appropriate actions to stop all outstanding abuse problems on their networks, just as all responsible hosting networks must do. In addition, Amazon and Google must take necessary and appropriate steps to prevent further abuse of all types from being generated on their network. That includes reacting to abuse reports from many sources including, but not limited to, SBL listings, and effectively prohibiting all services to spammers and other abusive users,” the researcher notes.

Contacted by SecurityWeek, a Google spokesperson provided the following statement: "Google Cloud Platform has many precautions in place to prevent, detect, and stop abusive behavior. A team of engineers is dedicated to investigating and addressing potential security and abuse incidents 24/7, and we suspend activity that violates our Acceptable Use Policy. Our team identifies the vast majority of abuse before we are notified. When third parties notify us of potential abuse, we investigate claims to verify them before taking action. Potential abuse on Google Cloud Platform can be reported here."

*Updated with statement from Google

view counter