Be careful: Your dedicated server in the cloud could have a malware installed by previous owners

Hackers implant backdoors on ‘Infrastructure as a Service’ hardware servers

Network security and ethical hacking specialists from the International Institute of Cyber Security report the finding of a new vulnerability that allows hackers to leave backdoors in the firmware of physical servers that are reassigned to other users of cloud services, leaving new users vulnerable to multiple hacking activities.

Some software developers choose to hire what is known as ‘Infrastructure as a Service’ (IaaS); this option allows them to easily stagger cloud-based applications without having to share their hardware with other users.

The problem is that, according to specialists in network security, once a company decides to stop using this hardware, these servers can be restored to their factory settings and reassigned to other users, which exposes them to firmware vulnerabilities that can persist even after the restoring process.

“Although these servers are used by only one client at a time, this hardware could be used multiple times subsequently, even by dozens of users, who have direct access and total control over the servers”, commented the experts.

Network security experts discovered that a malicious hacker can deploy backdoors in the firmware of the shared infrastructure of these services in the cloud. The backdoor can survive the server reassignment process performed by the service providers. To be precise, attackers could compromise the servers by adding backdoors and malicious code to the firmware of a physical server, or on their Baseboard Management Controller (BMC), which requires minimal hacking skills.

The BMC is a component developed by third parties to allow remote management of a server that allows the reinstallation of the operating system, problem solving, among other management tasks.

If this kind of backdoor is successfully deployed on a physical server, it may persist despite customer reassignments made by the vendor, so to remove the backdoor vendors must physically connect to the chips to reflash the firmware, a non-practical task for service providers.

If the vulnerability (nicknamed Cloudborne) is exploited, several scenarios of attacks could be presented, such as:

  • Permanent denial of service (PDoS)
  • Stealing or interception of application data executed on the compromised server
  • Running malware or disabling the running application

Although the research was conducted by testing IBM’s SoftLayer servers, the specialists ensure that other companies that provide this kind of services are also vulnerable to this attack vector.

One way to mitigate the risks is for providers of these services to perform the firmware upgrade properly before reassigning their physical infrastructure to other customers.