Cloud security is as important as ever as more and more services are moved to the cloud. Unfortunately misconfigured servers still exist, regardless of where they are located. A simple Google search (no Shodan required) is all it takes to find unsecured S3 buckets, which can be treasure troves of information. Let’s be real though, that type of find is low-hanging fruit that any script kiddie or automated tool can find. There’s something far more sophisticated lurking in the cloud and there’s a good chance a nation state is behind it.
Researchers over at SophosLabs announced the discovery of Cloud Snooper this week. They were looking into infected cloud servers hosted by Amazon Web Services (AWS) when they noticed unusual traffic on a Linux server. The security groups (SGs), which are firewall rules designed to limit traffic to the server, were properly configured. But a rootkit and a backdoor were found on the system that allowed the adversary to bypass the firewall altogether.
It all works by piggybacking malicious packets on legitimate traffic allowed by the SGs. The attacker sends these “disguised” requests to the rootkit, where they are intercepted. The malware sends the command to the backdoor. The outbound traffic is then obfuscated in the same way, giving the adversary the ability to siphon data and execute commands. The researchers noted that because
of this technique “the C2 traffic stays largely indistinguishable from the legitimate web traffic.”
Linux servers aren’t the only ones vulnerable to Cloud Snooper – there’s also a Windows version based on the notorious Gh0st RAT. What’s worse is that it isn’t limited to cloud services either. The researchers pointed out that the technique could potentially bypass nearly any firewall. Security best practices will help to mitigate the threat, which includes keeping all security services and patches up to date, proper configuration management, and two-factor authentication.