Among the domestic public cloud vendors | Which is the blackest favorite attack?

In the first half of 2018, the cyberattacks targeting the cloud-based applications and cloud hosts of the major public clouds in the country showed an obvious upward trend. The threat types were mainly robots and collision-causing attacks, targeting cloud hosts, domain names and mailboxes. The business gray production of resources still exists in large numbers.

The total number of attacks is generally on the rise

By counting the number of relevant attacks on a monthly basis, we can see that after the impact of data sample deviation caused by large-scale corporate marketing activities during the Spring Festival in February, the number of black-gray attacks on public clouds has increased significantly. .

Aliyun, Tencent Cloud suffered the most attacks

Among the domestic public cloud vendors, the number of attacks against Alibaba Cloud was the highest, reaching 55.32%, and the number of attacks against Tencent Cloud was the second, at 27.34%. Others were UCLOUD, Huawei Cloud, Qingyun, Baidu Cloud, Jinshan Yun, Jingdong Yun. This is basically the same as the market share of domestic public cloud vendors (this ignores the slight difference in market share of some public cloud vendors).

It is worth noting that if the proportion of attacks per month is statistically significant, the proportion of Alibaba Cloud and Tencent Cloud has a slight upward trend in most months (excluding the data sample bias of the February Spring Festival), which is also related to the public cloud market share. The centralization trend is basically the same.

Super five percent attack for robots

By extracting the behavioral characteristics of the attack traffic, we found that more than 50% of the attacks were made by robots. Most of these robots were used to perform Internet scanning or exploiting actions, most of which (more than 70%) were the most common. About 20% of the bulk port scanners are derived from automated vulnerability scanning and utilization tools for specific targets (such as the Struts2-045/048 series of vulnerabilities), and about 10% should be linked to the national regulatory authorities, security vendors and research institutions. In addition to the asset detection system, there are very few robots that are registered for public cloud enterprise mailboxes.

In addition, we also found an interesting phenomenon. About 30% of the traffic sources in automated scanning or exploiting robots point to Ashburn, Virginia, the location of the Amazon AWS cloud computing campus, and there is a monthly trend. We conclude that Due to the strictening of domestic network security supervision, part of the infrastructure of black and gray production activities is gradually shifting abroad. The overall impact of the collision attack is on the rise.

In addition to automated scanning or exploitation behavior, 14.36% of the attacks are collision-attack attacks. Statistics on the number of such attacks per month can be seen to have a clear upward trend (excluding the impact of data sample deviations in the February Spring Festival) .

In addition, we also found that about 30% of the collision-attack attacks used a new dictionary library with a high degree of overlap, which is suspected to be related to several social-sector underground trading events that we monitored in the first half of 2018.

Considering the data leakage from the leak to the dark network, the Q group, the Telegram group, etc., for small-scale transactions, and then to the mass spread, the delay is usually about three to six months. We can infer that by the second half of 2018, The library attack will be further increased.

Public cloud business gray production is still active

Through the analysis of the black ash production data collected by the 'TH-Karma' platform, we found that the 薅 wool activities for various public cloud activities are still active. Typical examples are: Batch brush Alibaba Cloud, Tencent Cloud and Meituan Cloud Student Machine The offer will be subletted and resold, or the Alibaba Cloud and Tencent Cloud domain name real-name certification will be used in batches, or the public cloud enterprise mailbox will be registered in bulk through the mailbox registration machine.

We believe that such activities have formed a relatively complete 'production-sale-use' gray production chain, providing infrastructure support for other black ash production activities.

Data analysis supplement

Due to the limitation of data acquisition channels and sample noise, our monitoring channels have low capture rates for both DDoS attacks and reptile attacks, resulting in the number of attacks in the data statistics that are lower than our experience expectations. Judging its trend direction, it is not analyzed in detail in this report.

However, from the black ash trading data we obtained, the number of DDoS attacks against Alibaba Cloud and Tencent Cloud Server in the past 6 months (that is, no one orders or orders are not completed) has increased significantly, reflecting Alibaba Cloud. The efforts of cloud vendors such as Tencent Cloud in anti-DDoS have achieved certain results.