This post was written by Xavier Zepiora, Junior cybersecurity major at Messiah University.
I recently read an article detailing how cloud attacks are becoming more common these days, and that these attacks are a result of misconfigured cloud settings. A team from Cado Security studied three different cloud attacks that have been impacting businesses. In this post, I’ll share a brief synopsis of each attack and how they confirm a need for more education regarding cloud security.
The first piece of malware the team came across is called DoH because it uses DNS queries over HTTPS. This attack is happening on serverless environments provided by AWS. Sending DNS queries over HTTPS means that they are encrypted and can’t be viewed by AWS security services. The malware also sends thousands of HTTPS string requests, so that EDR services do not detect it. This attack is primarily used for cryptomining but could be used in other ways as it uses command and control methods to operate.
The second piece of malware primarily targets cloud providers in Asia and blends into their UNIX-based systems. The malware uses timestamp manipulation to hide from detection. It has primarily been used for cryptojacking which is when someone else’s resources are used to mine cryptocurrency for the attackers.
The third is a group known as Watchdog which has been in operation since 2019. They have been performing cryptojacking attacks and find vulnerable cloud services through mass scans. They are also known for using steganography for avoiding detection.
These attacks are all only being used for crypto development right now but there is nothing stopping attackers from using the same methods to run other kinds of attacks on cloud systems. This shows the need for cyber security professionals to understand cloud security better, as well as IT professionals working at small companies that outsource to the cloud. If all three of the leading attack frameworks right now are a result of poor configuration, it means we need more cloud education.