hamburger icon close icon
Cloud Security Solutions

Cloud Malware: 5 Types of Attacks and 3 Security Measures

February 16, 2021

Topics: Cloud Insights Elementary5 minute read

What is Cloud Malware?

Cloud security is complex. While cloud providers take responsibility for security of the infrastructure they manage, cloud users are responsible for configuring cloud security correctly, and securing their applications and workloads.

Misconfiguration and lack of security at the application level can lead to many security issues, and one of the most severe is malware infection in your cloud computing environment.

Malware in the cloud is a relatively new phenomenon, but cybercriminals quickly realized that cloud systems are an ideal media for spreading malware. Cloud-based systems are:

  • Typically open to the Internet.
  • Standardized and easy to learn for an attacker.
  • Composed of a large number of entities, like virtual machines (VMs), containers or storage buckets, each of which can be a weak link for attackers to exploit.

In this article, you will learn:

The Rise of Cloud Malware

Studies show that nearly 90% of organizations are more likely to experience data breaches as cloud usage increases. Just like in the traditional data center, many of these breaches are performed with the assistance of malware. Cloud adoption and the risks associated with it are more common than ever, and so cloud security is becoming critical for any organization.

According to a survey by Netskope, businesses use an average of 1,181 cloud services, but 92.7% of them are not secured or not ready for enterprise needs. Malware on cloud systems can survive system cleanups, can spread to collaborators on a cloud system, whether they are employees, partners or contractors, and can threaten sensitive data stores connected to the infected system.

5 Types of Cloud Malware Attacks

Here are several common attacks that involve the use of cloud malware.

DDoS Attacks

Large-scale botnets, composed of millions of compromised devices, are becoming widely available to attackers. Threat actors are offering botnets as a service for low prices, lowering the barrier of entry to anyone who wants to wage a DDoS attack.

In the cloud, a DDoS attack against your organization or any of your “neighbours” in the public cloud can affect the entire “neighborhood”, and the underlying cloud infrastructure. In addition, there is a constant risk that unattended VMs or containers will be compromised by attackers, and your cloud computing resources will be used for criminal activity.

Hypercall Attacks

In a hypercall attack, an attacker compromises an organization’s VMs using the hypercall handler. This is part of the virtual machine manager (VMM), deployed on every cloud machine in services like Amazon EC2. The attack grants attackers access to VMM permissions, and in some cases lets them execute malicious code on the VM.

Hypervisor DoS

A hypervisor attack is an attack in which an attacker exploits the hypervisor, which controls multiple VMs on a virtual host. When the hypervisor is infected, malware can affect any of the VMs running on the host.

One possible consequence of an infected hypervisor is that virtual machine resource usage increases, resulting in denial of service to the entire host or even multiple hosts. Because hosts are typically interconnected, and do not always require authentication to connections from another host, they can easily infect other hosts, making the problem much more serious.


A hyperjacking attack is an attempt by an attacker to take control of the hypervisor, using a rootkit installed on a virtual machine. If the attacker is successful, they gain access to the entire host, and are able to modify the behavior of virtual machines, cause damage to running VMs, and even run new VMs for malicious activity.

Exploiting Live Migration

Attackers have learned that migration to the cloud or between clouds represents a major opportunity. When the organization performs an automated live migration, attackers can compromise the cloud management system, and manipulate it in several ways:

  • Create multiple fake migrations, which becomes a DoS attack
  • Migrate resources to a virtual network or cloud subscription under the attacker’s control
  • Make changes to migrated systems to make them vulnerable to future attacks

3 Ways to Keeps your Cloud Malware-Free

Here are several ways you can help keep cloud systems clean.

Employee Education

Many cloud malware incidents are a result of insufficient awareness of risk by operators and administrators. Extensive training can increase awareness of common security risks and teach correct behavior. Therefore, employees responsible for cloud systems should participate in regular training sessions on cloud security, network security and enterprise application management.

When security becomes part of the corporate culture, and employees are informed of the latest cloud security risks, there is a much lower chance for carelessness or negligence.

Strengthen Access Control

Traditional security practices are not enough to prevent cloud-based attacks. In the cloud, security should be based on a “zero trust” model. This means the organization assumes a breach and secures all access to cloud systems, whether by users or from other integrated systems.

  • Multi-factor authentication—helps prevent account takeover, by requiring at least two authentication methods, one of which must be physically possessed by the user.
  • Least privilege—both users and integrated systems should only have access to resources they really need, and should have the exact level of permission they require for their role.

Contain the Spread of Viruses with User Segmentation

An effective way to contain the spread of malware in the cloud is to use network segmentation. This limits malicious software or threat actors to a small segment of the network. If network segmentation is not implemented, simple actions like synchronizing of cloud application folders will upload malware to cloud storage and expose it to all users accessing the same application.

However, segmentation is not perfect—attackers can break network segmentation using a technique called “cloud hopping”—leveraging their access to a cloud application to take control of other user accounts, who may have access to other segments of the network.

Cloud Security with NetApp Cloud Insights

NetApp Cloud Insights is an infrastructure monitoring tool that gives you visibility into your complete infrastructure. With Cloud Insights, you can monitor, troubleshoot and optimize all your resources including your public clouds and your private data centers.

Cloud Insights helps you find problems fast before they impact your business. Optimize usage so you can defer spend, do more with your limited budgets, detect ransomware attacks before it’s too late and easily report on data access for security compliance auditing.

In particular, NetApp Cloud Insights protects organizational data from being misused by malicious or compromised users, through advanced machine learning and anomaly detection.

New call-to-action