Have you heard of Cloud Snooper?
Sophos, a leader in next-gen cybersecurity, recently published a report on this new and sophisticated attack. According to their report, Cloud Snooper uses a unique combination of techniques to evade detection, allowing malware on servers to communicate freely with its command and control servers (C2) through firewalls that would normally prevent these types of communications. The detailed Sophos Labs report deconstructs the TTPs (tactics, techniques, and procedures) used in the attack, which they suspect was the work of an advanced actor – possibly nation-state sponsored.
The tactics, techniques, and procedures used in the Cloud Snooper attack include a rootkit circumventing firewalls, a technique to gain access to servers disguised as normal traffic, and a backdoor payload that shares malicious code between both windows and Linux operating systems. This approach is known, but very uncommon. Though each TTP has been seen previously in other attacks by skilled cyber-attackers, they have not been seen in combination.
So how does this affect your business?
Sophos expects that this combination of TTPs will “trickle down” and become more commonplace throughout the cybercriminal hierarchy, becoming the blueprint for future firewall attacks.
Sergei Shevchenko, Threat Research Manager at SophosLabs, said “This is the first time we have seen an attack formula that combines a bypassing technique with a multi-platform payload, targeting both Windows and Linux systems. IT security teams and network administrators need to be diligent about patching all external-facing services to prevent attackers from evading cloud and firewall security policies. IT security teams also need to protect against multi-platform attacks. Until now, Windows-based assets have been the typical target, but attackers are more frequently considering Linux because cloud services have become popular hunting grounds. It’s a matter of time before more cybercriminals adopt these techniques.”
If you’re a business owner or manager, now is the time to talk to your IT security team about their plans to respond to this potential threat. If you are responsible for your organization’s network security, here’s some advice for defending against Cloud Snooper and similar attacks:
- Create a full inventory of all devices connected to the network, and update all security software used on these devices.
- Ensure all external-facing services are fully patched. Cloud hosting services often provide firewall security, but this should not be substitute for an organization’s own cloud security measures.
- Check and double check all cloud configurations. User misconfiguration and lack of visibility are the top causes of attacks in the cloud.
- Enable multi-factor authentication on any security dashboards or control panels used internally to prevent attackers from disabling security products during an attack.
- Remember, there is no single silver bullet for security, and a layered, defense-in-depth, next generation security model that includes components designed specifically to protect data and networks in the cloud (like Sophos Intercept X for Server) is an essential best practice.
If you need help hardening your network against cyber threats, our expert IT team is here to help. We can work with you and even your existing IT security team to make any necessary changes so your network is prepared for the worst.
This article is based on the February 25, 2020 Sophos Press Release.