Malware operators are turning to legitimate cloud services to conduct malicious campaigns, according to cybersecurity firm Fortinet.
In a new report, FortiGuard Labs, Fortinet’s research team, shared findings on how threat actors are abusing cloud services to enhance their malware’s malicious capabilities.
FortiGuard Labs said: “Using cloud servers for command and control (C2) operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack. This shift to cloud-based operations marks a significant evolution in the threat landscape.”
Examples of this strategy can be seen with remote access Trojans (RAT) such as VCRUMS stored on Amazon Web Services (AWS) or crypters like SYK Crypter distributed via DriveHQ.
“We have also observed a threat actor exploiting multiple vulnerabilities to target JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21, and Ivanti Connect Secure to amplify their attacks,” the FortiGuard Labs researchers wrote.
New Malware Strain Observed
In the report, FortiGuard Labs mentioned three malware strains currently exploiting cloud services to amplify their impact.
The security researchers discovered a new malware strain, named ‘Skibidi,’ exploiting two vulnerabilities in the TP-Link Archer AX21 Wi-Fi router (CVE-2023-1389) and Ivanti Connect Secure products (CVE-2024-21887).
Next, FortiGuard Labs analyzed two botnets, Condi and Unstable.
The former targets the same TP-Link Arche vulnerability to deploy distributed denial of service (DDoS) attacks.
The latter, a variant of the infamous Mirai botnet, targets three old vulnerabilities in the JAWS Webserver (CVE-2016-20016, CVE-2018-10561/10562 and CVE-2017-17215) for the same purpose.
The operators of these three malware strains rely on cloud C2 servers and/or leverage cloud storage and computing services operators to distribute their payloads and updates to a broad range of devices.
“Cloud services' inherent flexibility and efficiency have unwittingly provided cybercriminals with a new arena for their activities. […] Organizations must bolster their cloud security defenses as botnets and DDoS tools continue to leverage cloud services.
“Implementing a multi-layered security approach, including regular patching, updates, and network segmentation, is essential to isolate critical assets and mitigate potential breaches,” the security researchers concluded.
Read more: Researchers Uncover Major Surge in Global Botnet Activity