Malware operators are increasingly exploiting legitimate cloud services for malicious campaigns, as detailed in a report by Fortinet’s FortiGuard Labs. This trend involves using cloud servers for command and control (C2) operations, which allows for persistent communication with compromised devices and complicates efforts by defenders to interrupt attacks. The shift to cloud-based operations represents a significant evolution in the threat landscape, making it crucial for organizations to enhance their cloud security measures.
FortiGuard Labs’ report highlights several examples of how this strategy is being implemented. Remote access Trojans (RATs) like VCRUMS are hosted on Amazon Web Services (AWS), while crypters such as SYK Crypter are distributed through services like DriveHQ. Additionally, the report notes that threat actors are exploiting vulnerabilities in various devices, including JAWS webservers and several router models, to amplify their attacks.
The researchers identified three specific malware strains using cloud services to enhance their impact. The new strain, named ‘Skibidi,’ targets vulnerabilities in TP-Link Archer AX21 Wi-Fi routers and Ivanti Connect Secure products. Other strains include Condi, which uses the same router vulnerability for DDoS attacks, and Unstable, a variant of the Mirai botnet that exploits old vulnerabilities in JAWS Webserver to launch similar attacks.
FortiGuard Labs underscores the need for robust cloud security defenses as cybercriminals continue to leverage cloud services for their operations. Organizations are advised to implement a multi-layered security approach, including regular patching, updates, and network segmentation, to protect critical assets and mitigate potential breaches from these evolving threats.
Reference:
