Skip to main content

Hackers in the Clouds

By: James Azar

Never take your eyes off your computer. Many cyber security enthusiasts and ‘worriers’ feel similar; once your computer has been handled by someone other than you, it’s never the same, nor can you necessarily believe that it hasn’t somehow been infected. 

Unfortunately, the security company Eclypsium have demonstrated, quite conclusively, that the same now applies to cloud servers. 


Researchers from Eclypsium tested out the strength of IBMs firmware by renting an IBM  server from a cloud computing provider. They were able to modify the firmware and successfully hide changes to the code.

In prior studies, Eclypsium showed that a corrupted BMC(baseboard management controller) can be used to rewrite the firmware of other components, or to neutralize their safeguarding abilities and allow room for a ransomware attack.

They didn’t make any dangerous alterations in the test phase to IBM servers firmware but claim that they can, with the same method plant persistent malware in servers' hidden code. 

How they did it:

Eclypsium rented an IBM bare metal cloud server, where a client rents an entire computer, usually to improve performance, in situations like video conference hosting or payment processors and then made an innocuous alteration to the BMC's firmware.

The infected bare metal cloud server, was then put back into IBM’s rentals. A few hours later, they were able to rent multiple servers and identify the same machine through serial numbers. 

They found that the BMC firmware modification remained.

For a true hacker this would open the door to multiple cybercrimes including spying, seek and destroy capabilities and server alterations. 

As many companies rely on public cloud services, according to Yuriy Bulygin, Eclypsium's creator, they are severely exposing themselves, also the realization that the equipment can still be infected, if the service provider of the cloud services cannot thoroughly root through the hardware.

However, the researchers were quick to point out, not all cloud servers are affected. The vulnerability lies in bare metal servers. This basically allows the hackers to alter components so that the next renter will have a malware infection. 

They haven’t started with the other servers..yet.

IBM say LOL to the findings

In response, IBM stated that this vulnerability is low and that regardless, they erased the BMC firmware servers between clients, basically trying to downplay the security vulnerability.  

IBM claimed all logs are completely wiped, inclusive of passwords, which are then renewed. In response, and not allowing IBM to get off the hook quite so fast, the researchers claim they can still penetrate, suggesting either that the IBM fix hasn’t worked or simply hasn’t happened yet.  

This sort of research posits firmware as the new frontier in cyber security, as when the hackers can secure a foot into the firmware, they have the ability to bypass antivirus and full computer wipes.  Dangerous malicious firmware and cloud server vulnerability is something that Eclypsium has demonstrated that we all have to get used to. 

For cyber security professionals, enthusiasts, and hobbyists alike, check out the CyberHub Engage YouTube Channel for daily content.