Hiding command-and-control in trusted APIs: Attackers are also forging malware that routes C2 traffic through trusted services such as OpenAI APIs.For example, the SesameOp backdoor routes traffic through OpenAI’s Assistants API, masking C2 communications as legitimate AI development work.”In cases such as the SesameOp backdoor, traffic looks like normal AI development activity,” says Parthiban Jegatheesan, managing director at Peneto Labs. “To security tools, it blends in with legitimate business use, making it much harder to block without breaking real workflows.”Malware such as VEILDrive and malign variants of the Havoc Framework post-exploitation framework abuse the Microsoft Graph API.”The malware authenticates to a legitimate corporate SharePoint or OneDrive tenant where it utilizes Graph API to read command files such as cmd.txt and write ‘output’ files (e.g., results.json) directly into a folder that looks like a user’s personal backup,” explains Kwangyun Keum, a senior offensive security engineer.
Malware staging in object storage: Attackers are increasingly storing second-stage payloads or configuration files in cloud storage services, for example, S3-compatible buckets, instead of their own servers.”These files are pulled down only when needed, reducing the malware footprint on disk and allowing attackers to swap payloads without redeploying malware,” Peneto Labs’ Jegatheesan says.
Data exfiltration via trusted services: Attackers have also shifted from traditional FTP drops or risky pastebin (text storage) sites to exfiltrating massive troves of sensitive data via everyday cloud-based corporate communication tools such as Slack and Discord, according to Nicholas Carroll, manager cyber incident response at Nightwing.Carroll says that in recent attack campaigns threat actors “configured compromised servers to execute HTTPS POST requests to api.slack.com, hooks.slack.com, or discord.com,” using these endpoints to exfiltrate “heavily monitored secrets such as AWS Access Keys, SSH keys, and internal API tokens directly into attacker-controlled chat channels.”
Hybrid and multi-stage kill chains entirely inside the cloud: Several campaigns demonstrate full cloud-native attack chains, including one campaign linked to a Chinese cyberespionage group.”Since March 2024, Genesis Panda has systematically weaponized cloud services across the full attack chain, querying AWS Instance Metadata Service (IMDS) for credential harvesting, using cloud storage for payload hosting, routing C2 through domains impersonating legitimate cloud services, and using cloud compute for data exfiltration,” says Diptamay Sanyal, principal engineer for data, AI, and cybersecurity at CrowdStrike.”The cloud isn’t a target here, it’s the entire operational backbone,” Sanyal adds.
Phishing and social engineering via trusted platforms: Attackers are increasingly hosting lures and login pages on legitimate cloud infrastructure.For example, Russia-nexus hacking group Cozy Bear (APT 29) delivered phishing links redirecting to authentic Microsoft login pages, removing the most common phishing red flag, suspicious domains.”Victims only ever saw legitimate Microsoft infrastructure, making traditional URL-based detection useless,” says CrowdStrike’s Sanyal.
Serverless and ephemeral infrastructure abuse: Attackers are abusing serverless services, such as AWS Lambda or Azure Functions, to conduct network reconnaissance and scanning.The tactic was deployed during the HazyBeacon campaign targeting governmental entities in Southeast Asia and uncovered by Palo Alto Networks’ Unit 42 threat intel division.”Instead of scanning a target from a single compromised server, which gets its IP blocked immediately, the attacker spins up thousands of ephemeral Lambda functions,” says Kaveh Ranjbar, co-founder and CEO of Whisper Security, and ex-CIO/CTO of RIPE NCC. “Each function scans a small slice of the target network and then dies.”The traffic originates from high-reputation Amazon IPs that rotate constantly. Enterprise firewalls cannot block these IPs without breaking their own access to legitimate AWS services. “The attacker effectively ‘launders’ their traffic through Amazon’s reputation,” Ranjbar adds.
Cloud tunneling: Adversaries are bypassing inbound firewall rules by utilizing legitimate ‘tunneling’ services hosted on major cloud providers.”An attacker compromises an internal server but cannot open a port to listen for commands due to the corporate firewall,” Whisper Security’s Ranjbar explains. “So, they install a Cloudflare Tunnel or ngrok agent. This agent initiates an outbound connection to the cloud provider, which is usually allowed.”Ranjbar adds: “To the security team, this looks like legitimate, encrypted HTTPS traffic going to Cloudflare or AWS. In reality, it is a stable C2 channel that tunnels right through the perimeter defenses using trusted infrastructure as the carrier.”
EBS snapshot sharing: Cybercrime groups such as Scattered Spider and Storm-0501 abuse the “snapshot sharing technique,” creating a high-impact IaaS attack vector in the process.The approach bypasses traditional network security by weaponizing the cloud’s management layer.”Rather than downloading malicious files, the adversary creates a snap ‘photograph’ of the victim server’s entire hard drive and simply ‘shares’ it using the ModifySnapshotAttribute API with an external cloud account the attackers control,” says offensive security engineer Keum. “The attacker subsequently restores the snapshot and then perform attacks such as ‘offline’ credential dumping.”
Trust abuse via Entra ID tenant relationships: China-nexus actor Murky Panda compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections, according to CrowdStrike.Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501’s tradecraft.
Pulling secrets directly from cloud vaults: Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.”Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,” says Peneto Labs’ Jegatheesan. “This avoids endpoint detection and shifts the attack into places many security teams monitor less closely.”
Touching the void: Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.For example, VoidLink is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.
Hybrid and multi-stage kill chains entirely inside the cloud: Several campaigns demonstrate full cloud-native attack chains, including one campaign linked to a Chinese cyberespionage group.”Since March 2024, Genesis Panda has systematically weaponized cloud services across the full attack chain, querying AWS Instance Metadata Service (IMDS) for credential harvesting, using cloud storage for payload hosting, routing C2 through domains impersonating legitimate cloud services, and using cloud compute for data exfiltration,” says Diptamay Sanyal, principal engineer for data, AI, and cybersecurity at CrowdStrike.”The cloud isn’t a target here, it’s the entire operational backbone,” Sanyal adds.
Phishing and social engineering via trusted platforms: Attackers are increasingly hosting lures and login pages on legitimate cloud infrastructure.For example, Russia-nexus hacking group Cozy Bear (APT 29) delivered phishing links redirecting to authentic Microsoft login pages, removing the most common phishing red flag, suspicious domains.”Victims only ever saw legitimate Microsoft infrastructure, making traditional URL-based detection useless,” says CrowdStrike’s Sanyal.
Serverless and ephemeral infrastructure abuse: Attackers are abusing serverless services, such as AWS Lambda or Azure Functions, to conduct network reconnaissance and scanning.The tactic was deployed during the HazyBeacon campaign targeting governmental entities in Southeast Asia and uncovered by Palo Alto Networks’ Unit 42 threat intel division.”Instead of scanning a target from a single compromised server, which gets its IP blocked immediately, the attacker spins up thousands of ephemeral Lambda functions,” says Kaveh Ranjbar, co-founder and CEO of Whisper Security, and ex-CIO/CTO of RIPE NCC. “Each function scans a small slice of the target network and then dies.”The traffic originates from high-reputation Amazon IPs that rotate constantly. Enterprise firewalls cannot block these IPs without breaking their own access to legitimate AWS services. “The attacker effectively ‘launders’ their traffic through Amazon’s reputation,” Ranjbar adds.
Cloud tunneling: Adversaries are bypassing inbound firewall rules by utilizing legitimate ‘tunneling’ services hosted on major cloud providers.”An attacker compromises an internal server but cannot open a port to listen for commands due to the corporate firewall,” Whisper Security’s Ranjbar explains. “So, they install a Cloudflare Tunnel or ngrok agent. This agent initiates an outbound connection to the cloud provider, which is usually allowed.”Ranjbar adds: “To the security team, this looks like legitimate, encrypted HTTPS traffic going to Cloudflare or AWS. In reality, it is a stable C2 channel that tunnels right through the perimeter defenses using trusted infrastructure as the carrier.”
EBS snapshot sharing: Cybercrime groups such as Scattered Spider and Storm-0501 abuse the “snapshot sharing technique,” creating a high-impact IaaS attack vector in the process.The approach bypasses traditional network security by weaponizing the cloud’s management layer.”Rather than downloading malicious files, the adversary creates a snap ‘photograph’ of the victim server’s entire hard drive and simply ‘shares’ it using the ModifySnapshotAttribute API with an external cloud account the attackers control,” says offensive security engineer Keum. “The attacker subsequently restores the snapshot and then perform attacks such as ‘offline’ credential dumping.”
Trust abuse via Entra ID tenant relationships: China-nexus actor Murky Panda compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections, according to CrowdStrike.Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501’s tradecraft.
Pulling secrets directly from cloud vaults: Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.”Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,” says Peneto Labs’ Jegatheesan. “This avoids endpoint detection and shifts the attack into places many security teams monitor less closely.”
Touching the void: Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.For example, VoidLink is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.
Serverless and ephemeral infrastructure abuse: Attackers are abusing serverless services, such as AWS Lambda or Azure Functions, to conduct network reconnaissance and scanning.The tactic was deployed during the HazyBeacon campaign targeting governmental entities in Southeast Asia and uncovered by Palo Alto Networks’ Unit 42 threat intel division.”Instead of scanning a target from a single compromised server, which gets its IP blocked immediately, the attacker spins up thousands of ephemeral Lambda functions,” says Kaveh Ranjbar, co-founder and CEO of Whisper Security, and ex-CIO/CTO of RIPE NCC. “Each function scans a small slice of the target network and then dies.”The traffic originates from high-reputation Amazon IPs that rotate constantly. Enterprise firewalls cannot block these IPs without breaking their own access to legitimate AWS services. “The attacker effectively ‘launders’ their traffic through Amazon’s reputation,” Ranjbar adds.
Cloud tunneling: Adversaries are bypassing inbound firewall rules by utilizing legitimate ‘tunneling’ services hosted on major cloud providers.”An attacker compromises an internal server but cannot open a port to listen for commands due to the corporate firewall,” Whisper Security’s Ranjbar explains. “So, they install a Cloudflare Tunnel or ngrok agent. This agent initiates an outbound connection to the cloud provider, which is usually allowed.”Ranjbar adds: “To the security team, this looks like legitimate, encrypted HTTPS traffic going to Cloudflare or AWS. In reality, it is a stable C2 channel that tunnels right through the perimeter defenses using trusted infrastructure as the carrier.”
EBS snapshot sharing: Cybercrime groups such as Scattered Spider and Storm-0501 abuse the “snapshot sharing technique,” creating a high-impact IaaS attack vector in the process.The approach bypasses traditional network security by weaponizing the cloud’s management layer.”Rather than downloading malicious files, the adversary creates a snap ‘photograph’ of the victim server’s entire hard drive and simply ‘shares’ it using the ModifySnapshotAttribute API with an external cloud account the attackers control,” says offensive security engineer Keum. “The attacker subsequently restores the snapshot and then perform attacks such as ‘offline’ credential dumping.”
Trust abuse via Entra ID tenant relationships: China-nexus actor Murky Panda compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections, according to CrowdStrike.Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501’s tradecraft.
Pulling secrets directly from cloud vaults: Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.”Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,” says Peneto Labs’ Jegatheesan. “This avoids endpoint detection and shifts the attack into places many security teams monitor less closely.”
Touching the void: Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.For example, VoidLink is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.
EBS snapshot sharing: Cybercrime groups such as Scattered Spider and Storm-0501 abuse the “snapshot sharing technique,” creating a high-impact IaaS attack vector in the process.The approach bypasses traditional network security by weaponizing the cloud’s management layer.”Rather than downloading malicious files, the adversary creates a snap ‘photograph’ of the victim server’s entire hard drive and simply ‘shares’ it using the ModifySnapshotAttribute API with an external cloud account the attackers control,” says offensive security engineer Keum. “The attacker subsequently restores the snapshot and then perform attacks such as ‘offline’ credential dumping.”
Trust abuse via Entra ID tenant relationships: China-nexus actor Murky Panda compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections, according to CrowdStrike.Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501’s tradecraft.
Pulling secrets directly from cloud vaults: Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.”Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,” says Peneto Labs’ Jegatheesan. “This avoids endpoint detection and shifts the attack into places many security teams monitor less closely.”
Touching the void: Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.For example, VoidLink is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.
Pulling secrets directly from cloud vaults: Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.”Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,” says Peneto Labs’ Jegatheesan. “This avoids endpoint detection and shifts the attack into places many security teams monitor less closely.”
Touching the void: Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.For example, VoidLink is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4142001/12-ways-attackers-abuse-cloud-services-to-hack-your-enterprise.html
