A recent study by Veriti Research has uncovered a disturbing trend in cybersecurity: hackers are increasingly exploiting cloud services to distribute malware and establish command-and-control (C2) operations.
The research reveals that over 40% of networks allow unrestricted “any/any” communication with at least one major cloud provider, creating a significant security vulnerability.
Cloud Infrastructure Exploited for Malicious Activities
This misconfiguration enables cybercriminals to exfiltrate data to attacker-controlled cloud instances and deploy malicious payloads from trusted cloud services, effectively tricking users into downloading malware.
The study identified several malware campaigns abusing cloud storage for payload delivery, including XWorm and Remcos, which utilized Amazon Web Services (AWS) S3 storage to distribute their malicious executables.
Cloud Platforms Serve as Command-and-Control Hubs
Beyond malware hosting, the research found that cloud platforms are frequently exploited as C2 servers, allowing adversaries to control infected systems remotely.
Various malware campaigns were observed utilizing cloud infrastructure from providers such as AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 communications.
One particularly concerning development is the growing use of Sliver C2 in cloud-based attacks.
Sliver C2, an open-source command-and-control framework initially developed for penetration testing, is now being actively exploited by threat actors to facilitate persistent access and post-exploitation tactics.
It has been adopted by Advanced Persistent Threat (APT) groups for stealthy C2 operations and is often used in conjunction with Rust-based malware to establish backdoors.
The research also identified several critical vulnerabilities affecting cloud-hosted services, further highlighting the need for improved cloud security measures.
These vulnerabilities were found in services provided by AWS, Azure, and Alibaba Cloud.
To mitigate these risks, organizations are advised to restrict “any/any” network rules, deploy cloud-native security solutions to detect malicious activities, and enforce continuous exposure management and security control assessments.
As cloud services continue to be targeted by cybercriminals, a proactive, security-first approach to cloud infrastructure management becomes increasingly crucial for maintaining robust cybersecurity defenses.
