Sophos Labs has discovered a new APT-style malware on cloud-hosted servers running both Linux and Windows. Called Cloud Snooper, it can evade traditional firewall security techniques, both on premises and in the cloud.
A sneaky attack
Cyberattacks tunneling to evade a firewall is nothing new, but the stand-out aspect of Cloud Snooper is the ability of the malware to evade traditional stateful firewalling by an intricate request forgery. Using local packet reassembly to redirect traffic from a known service port (TCP 80/443) to the command and control client’s service ports – it’s not something you see every day. The same goes for the use of source ports in the request’s header to trigger specific pre-built actions in the remote access toolkit client.
Windows or Linux, no one is safe
The Cloud Snooper APT was specifically written to thrive in the kind of mixed OS environment most public clouds represent – making no one safe. This malware is multi-platform, and it managed to infiltrate the Linux systems through what appears to be a dictionary attack on an exposed SSH port. This is a clear change from typical malware behavior – after all a normal attack would go after Windows-based machines due to the large user desktop install base.
This shift in tactics is indicative of the hunting grounds that public clouds have become for attackers; with the public IP ranges known it’s incredibly easy to continuously scan the entirety of a public cloud provider’s external facing footprint and launch automated attacks against known service ports.
How to protect your workloads from Cloud Snooper
So, what can you do to protect yourself against Cloud Snooper and similar malware in the public cloud? Follow our six point check list to stop this latest attack type, and check out Tim Rains’s excellent webinar on this topic.
Deploy server-specific anti-malware on workloads
Making sure endpoint security is deployed on any server-based workload is tantamount to securing its operation, as any shared responsibility diagram will tell you. Cloud Snooper malware is a great example of why you need to have visibility and enforcement on the workload itself – without next-generation anti-exploit technologies provided by Sophos Intercept X for Server, for example, the driver-based exploit on the Windows system would go completely undetected. And the same goes for Linux machines; determining whether a kernel module is malicious based on the name alone (“snd_floppy”) is very hard to do, especially at scale. In order to convict these types of malwares it is very important to analyse their behavior to determine their intent.
Set up process whitelisting
Process whitelisting on cloud workloads should be a given; since you know exactly what you need a particular instance to do, any processes outside of the ones needed for the workload to do its task should be considered superfluous at best, suspect at worst. Using an automated process whitelisting solution like Server Lockdown in Sophos Intercept X for Server will not only make this process as easy as flipping a switch, it will also prevent the command and control client from executing in the first place.
Extend security groups with deep packet inspection
A stateful firewall is no match for today’s modern threat landscape – as more and more attackers wrap their communications in TLS, just about any protocol can be tunneled through just about any open port, your first line of defense needs visibility into the actual content of the traffic.
Enable secure connectivity and strong authentication for remote access
Password-based authentication is simply not enough to protect external facing remote access through protocols like SSH, RDP and others. The best practice is to not have any of these ports exposed publicly to begin with by only enabling them through VPN connections, for example. But if you have to enable remote access publicly, make sure to at least set up some form of multi-factor authentication using either certificates, tokens or a combination of both.
A good way to implement a combination of these best practices is to use the built-in TOTP based multi-factor authentication in Sophos UTM and Sophos XG Firewall, combined with our HTML5 clientless VPN through a secure user portal.
Use a Cloud Security Posture Management solution
Cloud Security Posture Management solutions, or CSPM for short, exist to help gain insight into the security posture of your public cloud estate. Having an inventory of hosts and security groups helps spot potentially insecure configurations before they become exploited by an attacker.
Sophos Cloud Optix doesn’t just do this, it also visually maps the infrastructure in your cloud accounts with a traffic overlay, so you can easily spot traffic abnormalities between hosts and interrogate your security group settings to determine if they are actually helping you secure your instances correctly. Beyond that, the AI automatically learns the traffic baseline for your environment, so an attacker suddenly causing activity on an unused port (or a lot more traffic on a previously dormant or less-used port) will immediately lead to a potential security risk being flagged for your team to investigate.
On top of all of this CSPM solutions like Cloud Optix help defend against other common avenues of attack such as security misconfigurations, credential reuse, privilege abuse and overprivileged access. Together this helps you stay on top of the best practices for your environments and prevent many different types of common attacks.
Set up patch management
While it’s not entirely clear how Cloud Snooper managed to infiltrate the original host, a common best practice for any machine (virtual or physical) is to deploy patches and hotfixes in a timely manner to prevent known bugs to be exploited by attackers. An ounce of prevention is better than a pound of cure, after all.
The challenge in the public cloud however is to do this at scale and at the pace of the cloud, which is why all major cloud vendors have some form of a CMDB or patch management solution that integrates with their platform, such as Systems Manager on AWS and Update Manager on Azure.
While each individual element of Cloud Snooper has been observed previously, they have not been seen before in combination. Sophos expects that these new tactics will trickle down to the lower rungs of the cybercriminal hierarchy and be used as blueprints for new cloud attacks targeting Windows and Linux-based cloud assets and one every organization using the cloud should be ready for.