Attackers use public cloud providers to spread RATs

A campaign that uses public cloud service providers to spread malware has been discovered by Cisco Talos. The offensive is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services for malicious purposes, security researchers Chetan Raghuprasad and Vanja Svajcer wrote in the Talos blog.

To camouflage their activity, the researchers noted, the hackers used the DuckDNS dynamic DNS service to change the domain names of the command-and-control hosts used for the campaign, which started distributing variants of Nanocore, Netwire, and AsyncRATs to targets in the United States, Italy and Singapore, starting around October 26. Those variants are packed with multiple features to take control of a target’s computer, allowing it to issue commands and steal information.

Attack begins with phishing email containing poisoned ZIP file

The researchers found that the initial infection vector for the attackers is a phishing email with a poisoned ZIP archive. The archive contains an ISO image with a malicious script. When the script executes, it connects to a server, which is typically hosted on Azure or AWS, to download the next stage of the malware.

“Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure,” the researchers wrote. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers’ operations.”

Attack not new, but underscores risk of public cloud

Using someone else’s infrastructure for command-and-control of malware isn’t a new practice, observes Oliver Tavakoli, CTO of Vectra, a provider of automated threat management solutions. “In the pre-cloud days, this approach involved breaking into someone’s compute infrastructure and hosting malware distribution and C2 communication from there,” he says. “In the age of public clouds, you can just rent the compute in a pool that has a murky reputation and cannot easily be blacklisted.”

“Threat actors use well-known cloud services in their campaigns because the public passively trusts big companies to be secure,” adds Davis McCarthy,

a principal security researcher at Valtix, a provider of cloud-native network security services. “Network defenders may think communications to an IP address owned by Amazon or Microsoft is benign because those communications occur so frequently across a myriad of services.”

McCarthy recommends that to guard against CSP-based attacks, organizations should create an inventory of known cloud services and their network communication behaviors.

Continuous monitoring of network activity against a baseline is key to identifying risks that open an organization to these kinds of campaigns, adds Eric Kedrosky, CISO of Sonrai Security. He also advised, “Don’t rely on old controls-things like firewalls, anti-virus, and such-as they aren’t as effective in the cloud.”

“An organization should have visibility into all the identities in its cloud, especially the non-human ones and the permissions that each and every one has,” Kedrosky says. “It’s fundamental to lock down who and what has access to your cloud services and what they can do with them. If an attacker gets a hold of an over-permissioned identity, they can effectively use your cloud against you and it will be nearly impossible to detect.”