Hackers Can Slip Invisible Malware into Some Cloud Computers

The security world's paranoiacs have long cautioned that if a computer falls into a stranger's hands, it shouldn't be trusted again.

Now one company's researchers have demonstrated how, in some cases, that maxim applies just as strongly to a class of machine that never touches your hands in the first place: cloud servers.

On Tuesday, researchers at the security firm Eclypsium published the results of an experiment in which they showed that they could, for a certain class of cloud computing servers, pull off an insidious trick: They can rent a server from a cloud computing providerthey focused on IBM in their testingand alter its firmware, hiding changes to its code that live on even after they stop renting it and another customer rents the same machine. And while they made only benign changes to the IBM servers' firmware in their demonstration, they warn that the same technique could be used to plant malware in servers' hidden code that persists undetected even after someone else takes over the machine, allowing the hacker to spy on the server, alter its data, or destroy it at will.

"When organizations use public cloud infrastructure, theyre essentially borrowing equipment, like buying it used off of Ebay, and it can be pre-infected before they start using it," says Yuriy Bulygin, Eclypsium's founder and a former head of Intel's advanced threat research team. "In a similar way, that equipment can be infected if the cloud service provider hasn't sanitized all its equipment at the deepest level, including the firmware."

That cloud sanitization problem, Eclypsium's researchers were clear to point out, doesn't effect all cloud servers.

A typical cloud computing setup generates every customer's computer as a so-called virtual machine, a kind of sealed aquarium within the computer isolated from the server's actual hardware and other customers' virtual machines on the same box.But everyone from Amazon to Oracle to Rackspace also offers so-called bare metal servers, in which a customer rents and fully controls an entire computer in an attempt to improve performance or, ironically, security.

The good news, Nohl argues, is that the bare metal servers are only a small minority of cloud setups, and virtualized servers would be far harder to attack with the firmware trick.

Original article