Trend Micro Research Finds Both On-Premise and Cloud-based Servers Compromised by Criminal Underground

September 02, 2020 - 05:02
Trend Micro Research Finds Both On-Premise and Cloud-based Servers Compromised by Criminal Underground

Understanding the infrastructure behind cybercrime helps detect and stop operations


HONG KONG, CHINA - Media OutReach - September 2, 2020 - Trend MicroIncorporated (TYO: 4704; TSE: 4704),theleader in cloud security, today released research that states organizations'on-premise and cloud-based servers are compromised, abused and rented out aspart of a sophisticated criminal monetization lifecycle.

The findings come from the second of a three-part report serieslooking at how the underground hosting market operates. The findings show thatcryptocurrency mining activity should be the indicator for IT security teams tobe on high alert.

While cryptomining may not cause disruption or financial losseson its own, mining software is usually deployed to monetize compromised serversthat are sitting idle while criminals plot larger money-making schemes. Theseinclude exfiltrating valuable data, selling server access for further abuse, orpreparing for a targeted ransomware attack. Any servers found to containcryptominers should be flagged for immediate remediation and investigation.

"From dedicated bulletproof hosting to anonymizingservices, domain name provision and compromised legitimate assets, the cybercriminalunderground boasts a sophisticated range of infrastructure offerings to supportmonetization campaigns of all types," said BobMcArdle, director of forward-looking threat research for Trend Micro."Our goal is to raise awareness and understanding of cybercriminalinfrastructure to help law enforcement agencies, customers and otherresearchers block avenues for cybercrime and drive costs up for threatactors."

The report lists the main underground hosting services availabletoday, providing technical details of how they work and how criminals use themto run their businesses. This includes a detailed description of the typicallifecycle of a compromised server, from initial compromise to final attack.

Cloud servers are particularly exposed to compromise and use inunderground hosting infrastructure as they may be lacking the protection oftheir on-premises equivalents.

McArdle continued, "Compromised legitimate corporate assetscan be infiltrated and abused whether on-premise or in the cloud. A good ruleof thumb is that whatever is most exposed is most likely to be exploited."

Cybercriminals might look to exploit vulnerabilities in serversoftware, use brute-force attacks to compromise credentials, or steal loginsand deploy malware via phishing attacks. They may even target infrastructuremanagement software (cloud API keys), which allows them to create new instancesof virtual machines or supply resources.

Once compromised, these cloud server assets could be sold on undergroundforums, dedicated marketplaces and even social networks for use in a range ofattacks.

The report also covers emerging trends for undergroundinfrastructure services, including abuse of telephony services and satelliteinfrastructure, and "parasitic" computing for rent including hiddenRDP and VNC.

To read the report, please visit: 

About Trend Micro

Trend Micro, a global leader in cybersecurity,helps make the world safe for exchanging digital information. Leveraging over30 years of security expertise, global threat research, and continuousinnovation, Trend Micro enables resilience for businesses, governments, andconsumers with connected solutions across cloud workloads, endpoints, email,IIoT, and networks. Our XGen™ security strategy powers our solutions with across-generational blend of threat-defense techniques that are optimized forkey environments and leverage shared threat intelligence for better, fasterprotection. With over 6,700 employees in 65 countries, and the world's mostadvanced global threat research and intelligence, Trend Micro enablesorganizations to secure their connected world