Malware operators are turning to legitimate cloud services to conduct malicious campaigns, according to cybersecurity firm Fortinet.
In a new report, FortiGuard Labs, Fortinet’s research team, shared findings on how threat actors are abusing cloud services to enhance their malware’s malicious capabilities.
FortiGuard Labs said: “Using cloud servers for command and control (C2) operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack. This shift to cloud-based operations marks a significant evolution in the threat landscape.”
Examples of this strategy can be seen with remote access Trojans (RAT) such as VCRUMS stored on Amazon Web Services (AWS) or crypters like SYK Crypter distributed via DriveHQ.
“We have also observed a threat actor exploiting multiple vulnerabilities to target JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21, and Ivanti Connect Secure to amplify their attacks,” the FortiGuard Labs researchers wrote.
New Malware Strain Observed
In the report, FortiGuard Labs mentioned three malware strains currently exploiting cloud services to amplify their impact.
The security researchers discovered a new malware strain, named ‘Skibidi,’ exploiting two vulnerabilities in the TP-Link Archer AX21 Wi-Fi router (CVE-2023-1389) and Ivanti Connect Secure products (CVE-2024-21887).
Next, FortiGuard Labs analyzed two botnets, Condi and Unstable.
The former targets the same TP-Link Arche vulnerability to deploy distributed denial of service (DDoS) attacks.
No tags.
