Recent research by Veriti has uncovered a disturbing trend in cybersecurity: malicious actors are increasingly leveraging cloud infrastructure to distribute malware and operate command-and-control (C2) servers.
This shift in tactics presents significant challenges for detection and exposes organizations to heightened security risks.
Cloud Misconfigurations Open Doors for Attackers
The study reveals that over 40% of networks allow unrestricted “any/any” communication with at least one major cloud provider.
This misconfiguration creates a vulnerable attack surface, enabling threat actors to exfiltrate data to attacker-controlled cloud instances and deploy malicious payloads from trusted cloud services, effectively deceiving users into downloading malware.
Researchers identified multiple malware campaigns abusing cloud storage for payload delivery.
One notable example is the XWorm campaign, which utilized Amazon Web Services (S3) storage to distribute its malicious executable.
Another campaign employed malicious RTF files exploiting CVE-2017-11882 and CVE-2017-0199 vulnerabilities, targeting victims primarily in Egypt.
Cloud Platforms Repurposed as Command-and-Control Hubs
Beyond malware hosting, the research uncovered that cloud platforms are frequently exploited as C2 servers, allowing adversaries to remotely control infected systems.
Various malware families, including Havoc Malware, NetSupportManager, Unam Miner, and HookBot, were observed utilizing cloud infrastructure from providers such as AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 communications.
A particularly concerning development is the growing use of Sliver C2 in cloud-based attacks.
Originally developed for penetration testing, this open-source command-and-control framework is now being weaponized by threat actors, including Advanced Persistent Threat (APT) groups, for stealthy C2 operations and post-exploitation tactics.
The research also identified critical vulnerabilities affecting cloud-hosted services across major providers, further emphasizing the need for robust cloud security measures.
To mitigate these risks, organizations are advised to restrict “any/any” network rules, implement cloud-native security solutions for threat monitoring, and enforce comprehensive cloud security policies.
As the landscape of cloud-based threats continues to evolve, proactive security measures and continuous assessment of cloud environments have become imperative for organizations seeking to protect their digital assets and maintain a strong security posture.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
