Cisco discovers malware campaign using Azure and AWS to spread Nanocore, Netwire and AsyncRATs. Credit: Metamorworks / Getty Images A campaign that uses public cloud service providers to spread malware has been discovered by Cisco Talos. The offensive is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services for malicious purposes, security researchers Chetan Raghuprasad and Vanja Svajcer wrote in the Talos blog.To camouflage their activity, the researchers noted, the hackers used the DuckDNS dynamic DNS service to change the domain names of the command-and-control hosts used for the campaign, which started distributing variants of Nanocore, Netwire, and AsyncRATs to targets in the United States, Italy and Singapore, starting around October 26. Those variants are packed with multiple features to take control of a target’s computer, allowing it to issue commands and steal information.Attack begins with phishing email containing poisoned ZIP fileThe researchers found that the initial infection vector for the attackers is a phishing email with a poisoned ZIP archive. The archive contains an ISO image with a malicious script. When the script executes, it connects to a server, which is typically hosted on Azure or AWS, to download the next stage of the malware. “Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure,” the researchers wrote. “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers’ operations.” Attack not new, but underscores risk of public cloudUsing someone else’s infrastructure for command-and-control of malware isn’t a new practice, observes Oliver Tavakoli, CTO of Vectra, a provider of automated threat management solutions. “In the pre-cloud days, this approach involved breaking into someone’s compute infrastructure and hosting malware distribution and C2 communication from there,” he says. “In the age of public clouds, you can just rent the compute in a pool that has a murky reputation and cannot easily be blacklisted.”“Threat actors use well-known cloud services in their campaigns because the public passively trusts big companies to be secure,” adds Davis McCarthy, a principal security researcher at Valtix, a provider of cloud-native network security services. “Network defenders may think communications to an IP address owned by Amazon or Microsoft is benign because those communications occur so frequently across a myriad of services.”McCarthy recommends that to guard against CSP-based attacks, organizations should create an inventory of known cloud services and their network communication behaviors.Continuous monitoring of network activity against a baseline is key to identifying risks that open an organization to these kinds of campaigns, adds Eric Kedrosky, CISO of Sonrai Security. He also advised, “Don’t rely on old controls-things like firewalls, anti-virus, and such-as they aren’t as effective in the cloud.”“An organization should have visibility into all the identities in its cloud, especially the non-human ones and the permissions that each and every one has,” Kedrosky says. “It’s fundamental to lock down who and what has access to your cloud services and what they can do with them. If an attacker gets a hold of an over-permissioned identity, they can effectively use your cloud against you and it will be nearly impossible to detect.” Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe