Symantec has warned that infrastructure-as-a-service (IaaS) clouds such as Microsoft Azure are vulnerable to attacks even from unskilled hackers.
A recent investigation by the security vendor showed that unsecured cloud "buckets" used for storing data could be accessed without the need for login details so long as the hacker could guess the right web address.
This was done by writing a script capable of guessing the domain names, even though there was no central listing of all the domain prefixes for the given cloud provider.
Candid Wueest, threat research at Symantec, said in their research that: "Not all of the accessible data blobs contained sensitive information. Some files were just images or public html files."
However he added that one particular file was uncovered from a payment processor company which turned out to be a database backup that included credit card logs, user IDs, email addresses and passwords.
Such data could then be sold on cybercrime forums for use by fraudsters and other hackers.
"Our research has proven that this attack method is highly feasible and the sensitive data that was uncovered is real, indicating that this is not just a hypothetical attack scenario," Wueest said.
Content from our partners
"The problems illustrated in this research are not isolated to just one single cloud service provider. Similar attacks could be carried out against other cloud infrastructures."
Cloud customers are advised to take the time to understand their product settings in order to avoid falling prey to similar cyberattacks, as well as keep an event log to monitor who is accessing the service.
