Worms are a primary threat to cloud services. They exploit server vulnerabilities to spread across networks and perform malicious actions that severely threaten your assets and business. Cloud Firewall provides a layered defense against the worm attack chain, detecting and blocking a wide range of worms and their variants. Cloud Firewall also updates its detection and interception capabilities in real time based on the evolving cloud threat landscape to defend against the latest worms. This topic describes how Cloud Firewall defends against worms.
Threats of worms
Worms can cause the following types of damage:
-
Service interruption: After infecting a host, a worm can modify configurations or stop services, leading to server downtime and business disruption.
-
Data theft: Worms designed for information theft can package and exfiltrate data from your servers, which can lead to a serious data breach and resource abuse.
-
IP blocking: The high volume of packets sent during a worm's propagation can cause regulatory bodies to block your IP addresses, resulting in a direct service outage.
-
Ransom: Worms with ransom capabilities encrypt your files and demand payment, which can result in financial loss or permanent data loss.
Cloud Firewall solution
Cloud Firewall provides a layered defense against the worm attack chain by detecting and blocking various worms and their variants. It also updates and expands its capabilities in real time based on the cloud threat landscape to defend against the latest worms.
Typical worms include:
-
DDG: Spreads by exploiting Redis vulnerabilities and using brute-force attacks. After infection, it uses the host's computing resources for mining.
-
WannaCry: Spreads by exploiting Windows vulnerabilities. After infection, its primary purpose is to demand a ransom.
-
BillGates: Spreads through brute-force attacks and application vulnerabilities. After infection, it builds a botnet to launch DDoS attacks.
Case study: The DDG worm
DDG is an active worm that primarily spreads by exploiting Redis vulnerabilities and launching brute-force attacks. The worm adds infected hosts to a botnet to mine cryptocurrency.
Systems affected by DDG
-
Servers that use weak SSH passwords.
-
Redis or other database servers with vulnerabilities.
Primary threats of the DDG worm
-
Service interruption: Hosts infected with the DDG worm are primarily used for mining. Mining consumes significant computing resources, which can make services unavailable or disrupt normal business operations.
-
IP blocking: After infection, the DDG worm attempts to spread further, which can lead to your IP addresses being blocked by regulatory bodies.
Defense against the DDG attack chain
Cloud Firewall provides real-time detection and defense against the DDG attack chain, disrupting the worm's entire attack and propagation.
The following figure shows the Cloud Firewall defense architecture against the DDG attack chain:
Cloud Firewall provides the following four types of defense:
-
Whitelist: The intrusion prevention system (IPS) module does not block traffic from source or destination IP addresses on the whitelist, as they are considered trusted.
-
Threat Intelligence: Cloud Firewall uses threat intelligence to block malicious scanning, reconnaissance, and intrusion attempts.
-
Basic Rules: Supports malware detection and intercepts malicious communication, including communication with backdoors or command and control (C&C) servers.
-
Virtual Patching: Provides virtual patches that offer real-time protection against popular, high-risk application vulnerabilities.
Procedure
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, choose .
-
On the Internet Border tab, select Block-Loose for Threat Engine Mode.
-
Click Allowlist and add trusted IP addresses or an address book to the whitelist to cover both inbound and outbound traffic.
-
On the Basic Protection, Virtual Patching, and Threat Intelligence tabs, turn on the switch for each to enable its protection.
For details on configuring intrusion prevention system (IPS) policies, see IPS Configuration.