The news of yet another data breach has rocked the cybersecurity space and raised a new set of questions. This time around, the victim was the leading Cloud Service Provider (CSP) Amazon Web Services (AWS).
A unique characteristic of this attack is that the highly advanced modus operandi chosen to mount this attack has the potential to breach most other CSP’s security protocols and even on-premise data centers with web traffic.
The comprehensive data, pattern and information about this most recent attack as been released by UK based cybersecurity company Sophos. The level of sophistication applied to this attack has pointed towards a state-backed group of highly skilled hackers.
Let’s share with you the info that is readily available about the attack and how it was orchestrated. Hackers were able to install a rootkit over some compromised Windows and Linux machines over AWS infrastructure.
This rootkit allowed hackers to remotely control the compromised servers. Highly sensitive corporate data was then accessed using this rootkit and hackers were able to funnel this data out of the cloud-hosted data center.
A pertinent question is what were network control mechanisms and firewalls doing when all this was happening. Well, this is a very worrying thought and the answer is that all the Security Groups (SG) were perfectly configured and never tampered with.
The rootkit was placed within the perimeter of the cloud network, to make it invisible to mechanisms that regulate the flow of inbound and outbound network traffic. The rootkit in turn communicated with a preinstalled backdoor within the network.
Said backdoor is based on the source code of Ghost Rat Malware, notoriously famous for manipulating network traffic. The hackers were able to disguise malicious requests as normal HTTP requests to get them past the firewalls and SGs.
Once these requests made it past the firewall and SG rules, the rootkit would decode and execute the malicious requests. Once executed, these requests would use the backdoor to ex-filtrate data residing over the AWS cloud servers.
When the data was extracted successfully using the backdoor, the rootkit would again mask this data in such a way that it would blend with the routine outgoing network traffic such as server response to a legitimate request.
