Cloud Snooper firewall bypass may be work of nation state
Next-gen security specialist Sophos has revealed details of a sophisticated new attack known as Cloud Snooper, which enables malware on servers to communicate freely with its command and control (C2) servers through its victims’ firewalls, and may have been developed by a nation state actor.
The attack technique was uncovered by SophosLabs threat research manager Sergei Shevchenko whilst investigating a malware infection of some AWS hosted cloud servers. However, it is not an AWS-specific attack, but rather it represents a method of piggybacking C2 traffic on legitimate traffic to get past firewalls and exfiltrate data.
Cloud Snooper uses three main tactics, techniques and procedures (TTPs) in tandem. These consist of a rootkit to circumvent firewalls, a rare technique to gain access to servers while disguised as legitimate traffic – essentially a wolf in sheep’s clothing – and a backdoor payload that shares the malicious code between both Windows and Linux systems. Each of these elements has been seen before, but never yet all at once.
“This is the first time we have seen an attack formula that combines a bypassing technique with a multi-platform payload targeting both Windows and Linux systems,” said Shevchenko.
“IT security teams and network administrators need to be diligent about patching all external-facing services to prevent attackers from evading cloud and firewall security policies.
“IT security teams also need to protect against multi-platform attacks. Until now, Windows-based assets have been the typical target, but attackers are more frequently considering Linux systems because cloud services have become popular hunting grounds. It’s a matter of time before more cyber criminals adopt these techniques.”
Shevchenko said that the complexity of the attack and the use of bespoke advanced persistent threat (APT) toolkit strongly suggested that the malware and its operators are highly advanced and possibly being backed by a nation state actor.
He added that is was possible, indeed highly likely, that the specific package of TTPs would trickle down “to the lower rungs” of the cyber criminal hierarchy, and eventually form a blueprint for widespread firewall bypass attacks.
“This case is extremely interesting as it demonstrates the true multi-platform nature of a modern attack,” said Shevchenko.
“A well-financed, competent, determined attacker will be unlikely ever to be restricted by the boundaries imposed by different platforms – building a unified server infrastructure that serves various agents working on different platforms makes perfect sense,” he added.
Shevchenko said that in terms of prevention against this or similar attacks, while AWS Security Groups (SGs) provide a robust boundary firewall for EC2 instances, this does not in and of itself remove the need for network admins to fully patch all their outward-facing services.
He added that the default installation for the SSH server also needs extra steps to harden it, “turning it into a rock-solid communication daemon”.
Sophos shared a number of steps proactive admins should be taking. These include creating a full inventory of all network-connected devices and keeping their security software updated; fully-patching outward-facing services above and beyond what Amazon or your cloud service of choice might provide; check and double-check all cloud configurations; and enable multi-factor authentication on security dashboards or control panels to stop attackers disabling your defences, or at least to make it harder for them to do so.