Malware operators have found a new way to conduct their malicious campaigns by turning to legitimate cloud services, as reported by cybersecurity firm Fortinet. In a recent publication, FortiGuard Labs, the research team of Fortinet, disclosed their findings on how threat actors are leveraging cloud services to enhance the capabilities of their malware.
Utilizing cloud servers for command and control (C2) operations allows threat actors to maintain persistent communication with compromised devices, increasing the difficulty for defenders to disrupt an attack. This transition to cloud-based operations signifies a significant evolution in the threat landscape, according to FortiGuard Labs.
Examples of this tactic include the use of remote access Trojans (RAT) like VCRUMS on Amazon Web Services (AWS) and crypters like SYK Crypter distributed via DriveHQ. Additionally, FortiGuard Labs identified a threat actor exploiting multiple vulnerabilities to target various devices such as JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21, and Ivanti Connect Secure to intensify their attacks.
In their report, FortiGuard Labs highlighted three malware strains that are currently leveraging cloud services to amplify their impact. One of these strains, named ‘Skibidi,’ exploits vulnerabilities in the TP-Link Archer AX21 Wi-Fi router and Ivanti Connect Secure products. Furthermore, FortiGuard Labs analyzed two botnets, Condi and Unstable, which target vulnerabilities in devices like TP-Link Archer and JAWS Webserver for DDoS attacks.
The operators of these malware strains rely on cloud C2 servers and cloud storage and computing services to distribute their payloads and updates efficiently across a wide range of devices. The flexibility and efficiency of cloud services have inadvertently provided cybercriminals with a new platform for their illicit activities.
As botnets and DDoS tools increasingly leverage cloud services, organizations are advised to enhance their cloud security defenses. Implementing a multi-layered security approach that includes regular patching, updates, and network segmentation is essential to isolate critical assets and mitigate potential breaches, as emphasized by the security researchers.
The evolution of malware operations to exploit cloud services underscores the need for continuous diligence in cybersecurity measures. By staying ahead of emerging threats and fortifying defenses, organizations can effectively safeguard their systems and data from malicious attacks.