Cybercrime and Cloud Computing: Cloud Attack Vectors
Cloud computing has fundamentally transformed how organizations store, process, and access data. The shift from on-premises infrastructure to cloud services — AWS, Azure, Google Cloud, and others — has introduced enormous operational benefits but also entirely new categories of cyber threats. Understanding how cybercrimes manifest in the cloud is essential for modern security professionals.
---
Cloud Computing Fundamentals
Cloud computing is the delivery of computing services (servers, storage, databases, networking, software, analytics, intelligence) over the internet on a pay-as-you-go basis.
Service Models and their Security Implications:
| Service Model | Full Name | Provider Manages | Customer Manages | Security Boundary | Example |
|---|---|---|---|---|---|
| IaaS | Infrastructure as a Service | Physical hardware, hypervisor | OS, apps, data, runtime | From OS upward | AWS EC2, Azure VMs |
| PaaS | Platform as a Service | Hardware, OS, runtime, middleware | Applications, data | Applications and data only | AWS Elastic Beanstalk, Heroku |
| SaaS | Software as a Service | Everything | Data configuration, user access | User access and data | Office 365, Salesforce, Gmail |
| FaaS | Function as a Service | Everything + execution environment | Code logic, data | Code logic | AWS Lambda, Azure Functions |
Deployment Models:
| Model | Description | Data Control | Cost | Risk Level |
|---|---|---|---|---|
| Public Cloud | Shared infrastructure by cloud provider | Low | Lowest | Medium (shared tenancy) |
| Private Cloud | Dedicated infrastructure for one org | High | High | Lower (isolated) |
| Hybrid Cloud | Mix of public and private | Medium | Medium | Varies |
| Community Cloud | Shared by organizations with common interests | Medium | Medium | Lower |
---
Cloud-Specific Threat Vectors
The ENISA (EU Agency for Cybersecurity) identifies cloud-specific threats distinct from traditional IT threats:
1. Data Breaches in the Cloud The most significant cloud risk. Data stored centrally in the cloud represents a high-value target. Causes include:
- Misconfigured storage buckets (S3 buckets set to public access) — responsible for billions of leaked records
- Weak authentication on cloud APIs
- Insufficient encryption of data at rest
Real Example: Capital One (2019) — misconfigured AWS firewall rule exposed 100M customer records
2. Misconfiguration and Inadequate Change Control Cloud's ease of provisioning leads to misconfiguration. Common misconfigurations:
- Open firewall rules (port 22/SSH, port 3389/RDP exposed to internet)
- Default credentials on cloud services
- Over-permissive IAM roles (e.g., giving admin access instead of least privilege)
- Unencrypted storage buckets exposed publicly
3. Account Hijacking (Cloud IAM Compromise) Attackers gain access to cloud accounts through:
- Phishing cloud administrator credentials
- API key exposure in GitHub repositories (GitGuardian detects millions of exposed secrets annually)
- Password reuse from breached credential databases
- SIM swapping to defeat SMS-based MFA
| Attack Method | Target | Prevention | Detection | Impact |
|---|---|---|---|---|
| Credential Phishing | Admin passwords | MFA, security training | Login anomaly detection | Full account takeover |
| API Key Exposure | Service account keys | Secret scanning, vault | CSPM tools | Unauthorized resource usage |
| SIM Swap | SMS-based MFA | FIDO2 hardware keys | Carrier notifications | MFA bypass |
| Token Theft | OAuth/JWT tokens | Short token TTL, rotation | Token anomaly detection | Session hijacking |
4. VM Escape / Hypervisor Attacks In IaaS, multiple virtual machines share the same physical hardware via a hypervisor. A VM escape attack occurs when malicious code in one VM breaks out of its isolated container and accesses the hypervisor or other VMs on the same host:
- Exploits vulnerabilities in the hypervisor software (VMware, KVM, Hyper-V)
- Allows attacker to read memory from other VMs (cross-tenant attacks)
- Mitigation: Hypervisor patching, hardware isolation (Intel TXT, AMD SEV)
5. Denial of Service Targeting Cloud Services Cloud-hosted services are prime DDoS targets:
- Volumetric attacks: Flood bandwidth with traffic (hundreds of Gbps)
- Resource exhaustion: Exhaust cloud auto-scaling limits, generating enormous cost for victim (called "Denial of Wallet")
- Application-layer attacks: Target specific application endpoints
6. Data Loss and Insecure Data Deletion
- Accidental deletion of cloud data without backups
- Provider insolvency or service shutdown
- Inadequate data wiping when decommissioning cloud resources
- In shared environments, data remnants may be accessible to subsequent tenants (though cloud providers use secure deletion practices)
---
Cloud Security Responsibility Model
The Shared Responsibility Model defines who is responsible for what security:
| Security Domain | Public Cloud Provider | Customer | Standard |
|---|---|---|---|
| Physical security | ✅ Provider | — | SOC 2 Type II |
| Network infrastructure | ✅ Provider | Partially | ISO 27001 |
| Hypervisor/virtualization | ✅ Provider | — | CSA STAR |
| OS patching | Shared (IaaS: customer) | ✅ IaaS customer | CIS Benchmarks |
| Application security | — | ✅ Customer | OWASP Top 10 |
| Data encryption | Tools provided | ✅ Customer decides | FIPS 140-2 |
| Identity and access | Tools provided | ✅ Customer configures | NIST 800-63 |
| Compliance | Certified environments | ✅ Customer's responsibility | GDPR, HIPAA |
---
Study Deep: Cloud Security in Depth
- The "lift and shift" fallacy: Many organizations migrate on-premises workloads to cloud without redesigning for cloud security. On-premises security assumptions (e.g., "the firewall protects everything") don't hold in cloud. Cloud requires a fundamentally different security model — identity-centric, API-first, with network microsegmentation.
- Cloud misconfigurations are the #1 cloud breach cause: According to Gartner, through 2025, 99% of cloud security failures will be the customer's fault (misconfiguration, not provider breach). Tools like CSPM (Cloud Security Posture Management) — AWS Security Hub, Microsoft Defender for Cloud, Prisma Cloud — automatically scan for misconfigurations.
- Serverless creates new security challenges: Function-as-a-Service (FaaS) eliminates server management but introduces new risks: excessive permissions on Lambda functions, injection attacks through event data, dependency vulnerabilities in third-party libraries. Traditional security tools often cannot monitor serverless execution.
- Cloud forensics is challenging: When an incident occurs in the cloud, digital forensics becomes complicated. Virtual machines can be terminated (destroying evidence), logs may not be configured, and investigators may have limited access to underlying hardware. Cloud providers offer forensic-friendly services (CloudTrail, Azure Monitor) but customers must enable them proactively.
- Multi-cloud increases complexity: Most enterprises use multiple cloud providers. Each has different security controls, APIs, and compliance tools. Security teams must maintain expertise across AWS, Azure, and GCP simultaneously, and visibility tools must span all environments to prevent blind spots.
Exam Tip: Cloud security topics focus on: (1) Shared Responsibility Model (know what provider vs customer manages), (2) Data breach causes (misconfiguration is #1), (3) VM escape / hypervisor attacks (IaaS-specific), (4) Account hijacking via credential theft. The OWASP Cloud Top 10 risks are also exam-relevant.