This permissive configuration essentially creates an open gateway for threat actors, enabling unrestricted data exfiltration to attacker-controlled cloud instances and facilitating the deployment of malicious payloads from trusted cloud services that can trick users into downloading malware. When organizations configure their networks to allow unrestricted communication with cloud providers, they inadvertently create a security blind spot that malicious actors can exploit. These misconfigurations allow attackers to establish command-and-control infrastructure within trusted cloud environments, making detection significantly more challenging as the malicious traffic blends with legitimate business communications. Beyond simple malware hosting, Veriti’s research identified numerous cases where cloud platforms serve as command-and-control (C2) servers, allowing adversaries to remotely control infected systems. Organizations should deploy cloud-native security solutions capable of monitoring for suspicious activities within their cloud environments and implement comprehensive logging to identify potential data exfiltration attempts. Over 40% of networks allow “any/any” communication with at least one major cloud provider, creating significant security vulnerabilities for organizations worldwide. Security teams often whitelist major cloud providers, further complicating the identification of malicious activities originating from these trusted sources. To mitigate these emerging threats, security experts recommend implementing strict network rules that define explicit parameters for cloud communications rather than allowing “any/any” configurations. Veriti has uncovered a concerning trend where cybercriminals are actively exploiting misconfigured cloud services to distribute malware and control compromised systems. In one documented case, threat actors distributed malware through Amazon Web Services (AWS) S3 buckets, with payload locations such as “hxxps://dctdownload.s3.amazonaws[.]com/grabs/s3_n..Jexe” being used to host malicious executables. The use of legitimate cloud infrastructure helps attackers evade traditional security controls that might otherwise flag suspicious domains. The research uncovered a concerning pattern of cloud platforms being systematically exploited as command-and-control hubs across major providers. Forensic analysis of recent attacks has revealed multiple sophisticated malware campaigns specifically designed to leverage cloud storage for payload delivery. The abuse spans multiple cloud providers, with different malware families preferring specific cloud environments for their operations. Regular security assessments focusing specifically on cloud service configurations can help identify and remediate these dangerous misconfigurations before they can be exploited. Security researchers have observed Sliver being used in conjunction with Rust-based malware such as KrustyLoader to establish persistent backdoors in compromised environments. The research also documented specific malware strains commonly distributed through cloud infrastructure. Meanwhile, Alibaba Cloud infrastructure has been linked to Pupy RAT (8.210.107.12035.2, 41.106.118) and Brutal Ratel (8.212.128.240) command and control activities. The attackers hosted their payloads on AWS S3 buckets at locations like “f8a076dcf0384e1f93bded36c8a9646c.s3.amazonaws./com” – again leveraging trusted infrastructure to distribute malware. Each of these threats leverages the perceived legitimacy of cloud services to evade detection and establish persistence within victim networks.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 09 Mar 2025 14:15:06 +0000