Cyber Security News

Hackers Exploit ‘Any/Any’ Communication Configurations in Cloud Services to Host Malware

Recent research by Veriti has uncovered a disturbing trend in cybersecurity: malicious actors are increasingly leveraging cloud infrastructure to distribute malware and operate command-and-control (C2) servers.

This shift in tactics presents significant challenges for detection and exposes organizations to heightened security risks.

Cloud Misconfigurations Open Doors for Attackers

The study reveals that over 40% of networks allow unrestricted “any/any” communication with at least one major cloud provider.

This misconfiguration creates a vulnerable attack surface, enabling threat actors to exfiltrate data to attacker-controlled cloud instances and deploy malicious payloads from trusted cloud services, effectively deceiving users into downloading malware.

Researchers identified multiple malware campaigns abusing cloud storage for payload delivery.

One notable example is the XWorm campaign, which utilized Amazon Web Services (S3) storage to distribute its malicious executable.

Another campaign employed malicious RTF files exploiting CVE-2017-11882 and CVE-2017-0199 vulnerabilities, targeting victims primarily in Egypt.

Cloud Platforms Repurposed as Command-and-Control Hubs

Beyond malware hosting, the research uncovered that cloud platforms are frequently exploited as C2 servers, allowing adversaries to remotely control infected systems.

Various malware families, including Havoc Malware, NetSupportManager, Unam Miner, and HookBot, were observed utilizing cloud infrastructure from providers such as AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 communications.

A particularly concerning development is the growing use of Sliver C2 in cloud-based attacks.

Originally developed for penetration testing, this open-source command-and-control framework is now being weaponized by threat actors, including Advanced Persistent Threat (APT) groups, for stealthy C2 operations and post-exploitation tactics.

The research also identified critical vulnerabilities affecting cloud-hosted services across major providers, further emphasizing the need for robust cloud security measures.

To mitigate these risks, organizations are advised to restrict “any/any” network rules, implement cloud-native security solutions for threat monitoring, and enforce comprehensive cloud security policies.

As the landscape of cloud-based threats continues to evolve, proactive security measures and continuous assessment of cloud environments have become imperative for organizations seeking to protect their digital assets and maintain a strong security posture.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Chinese Hackers Exploit SAP RCE Vulnerability to Deploy Supershell Backdoors

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer…

1 hour ago

Hackers Target IT Admins by Poisoning SEO to Push Malware to Top Search Results

Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By…

1 hour ago

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona, which…

2 hours ago

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI) under…

2 hours ago

New Supply Chain Attack Compromises Popular npm Package with 45,000 Weekly Downloads

An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives about…

2 hours ago

Threat Actors Leverage Multimedia Systems in Stealthy Vishing Attacks

Threat actors have begun exploiting multimedia systems as a pivotal component of their voice phishing…

2 hours ago