Hey, You. Get Off of My Cloud

July 31, 2017


A large corporation had great expectations for their next digital advertising campaign. This time, they wanted to try cloud technology. So, they signed up with Amazon Web Services (AWS). Because it was the cloud, their IT experts architected and deployed the system for the campaign in record time. They even set up an administrative console which let them monitor all aspects of the cloud computing environment. In case the campaign turned out to be a huge success, they turned on auto-scale to handle spikes in Internet traffic. Corporate management was ecstatic because they could launch a campaign with a click.

As advertising started and gained traction, the cloud resources scaled up from 8 servers, to 10 servers, to 15 servers.  Everything ran within normal performance parameters. Soon, network administrators noticed that the system had auto-scaled to 50 servers and was growing at an alarming rate.  All telemetry indicated that processor usage was abnormally high and outbound network bandwidth usage was growing rapidly as well.  Excited administrators thought the ads must be working really, really well.  At 250 servers something started to seem fishy.  The corporation’s administrators logged in to their virtual servers and found an unknown process running.  It was consuming 100% of their virtual processing resources.

This is when the corporation’s IT group contacted Check Point’s Incident Response Team.  In minutes, the incident response team determined that instead of running advertising workloads, their cloud resources were running g a rogue process that was mining bitcoins and serving as a node for bots doing denial of service attacks. They found all 250 servers were running this criminal process.  The team located the point of compromise in the web administration console.  The console, in the cloud, was exposed to the Internet with no intervening security such as a firewall or intrusion-prevention system.

By the time they shut down all servers and remediated the malware running the rogue process, the corporation incurred over $500k in costs.  The campaign brought in no revenue and the costs of the cloud services exceeded campaign’s budget.

Lessons Learned

The cloud is as risky to use as any other network.  All normal security controls must be deployed in a cloud just as in an enterprise IT network.



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks