BLACK HAT EUROPE 2022 – London – CoinStomp. Watchdog. Denonia.
These cyberattack campaigns are among the most prolific threats today targeting cloud systems — and their ability to evade detection should serve as a cautionary tale of potential threats to come, a security researcher detailed here today.
“Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage,” said Matt Muir, threat intelligence engineer for Cado Security, who shared details on those three campaigns his team has studied.
While the three attack campaigns are all about cryptomining at this point, some of their techniques could be used for more nefarious purposes. And for the most part, these and other attacks Muir’s team has seen are exploiting misconfigured cloud settings and other mistakes. That for the most part means defending against them lands in the cloud customer camp, according to Muir.
“Realistically for these kinds of attacks, it has more to do with the user than the [cloud] service provider,” Muir tells Dark Reading. “They are very opportunistic. The majority of attacks we see have more to do with mistakes” by the cloud customer, he said.
Perhaps the most interesting development with these attacks is that they are now targeting serverless computing and containers, he said. “The ease of which cloud resources can be compromised has made the cloud an easy target,” he said in his presentation, “Real-World Detection Evasion Techniques in the Cloud.”
DoH, It’s a Cryptominer
Denonia malware targets AWS Lambda serverless environments in the cloud. “We believe it’s the first publicly disclosed malware sample to target serverless environments,” Muir said. While the campaign itself is about cryptomining, the attackers employ some advanced command and control methods that indicate they’re well-studied in cloud technology.
The Denonia attackers employ a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That gives the attackers a way to hide within encrypted traffic such that AWS can’t view their malicious DNS lookups. “It’s not the first malware making use of DoH, but it certainly isn’t a common occurrence,” Muir said. “This prevents the malware to trigger an alert” with AWS, he said.
The attackers also appeared to have tossed in more diversions to distract or confuse security analysts, thousands of lines of user agent HTTPS request strings.
“At first we thought it was might be a botnet or DDoS … but in our analysis it was not actually used by malware” and instead was a way to pad the binary in order to evade endpoint detection & response (EDR) tools and malware analysis, he said.
More Cryptojacking With CoinStomp and Watchdog
CoinStomp is cloud-native malware targeting cloud security providers in Asia for cryptojacking purposes. Its main modus operandi is timestamp manipulation as an anti-forensics technique, as well as removing system cryptographic policies. It also uses a C2 family based on a dev/tcp reverse shell to blend into cloud systems’ Unix environments.
Watchdog, meanwhile, has been around since 2019 and is one of the more prominent cloud-focused threat groups, Muir noted. “They are opportunistic in exploiting cloud misconfiguration, [detecting those mistakes] by mass scanning.”
The attackers also rely on old-school steganography to evade detection, hiding their malware behind image files.
“We’re at an interesting point in cloud malware research,” Muir concluded. “Campaigns still are lacking somewhat in technicality, which is good news for defenders.”
But there’s more to come. “Threat actors are becoming more sophisticated” and likely will move from cryptomining to more damaging attacks, according to Muir.