In March 2020, Sophos published a report on a sophisticated attack carried out on various Linux and Windows EC2 instances hosted by Amazon Web Services (AWS). Complex malware―a rootkit with a remote access Trojan (RAT) that served as a backdoor—was used to control the compromised machines.
The perpetrators were able to freely communicate with the rootkit and funneled sensitive data to their servers, bypassing firewall settings. Dubbed the "Cloud Snooper" by Sophos, security experts deem it "technically, a thing of beauty." This blog sheds light on the unique nature of this attack and how to spot it in your network.
The security team began investigation when a Linux system was found to be listening for inbound connections on TCP ports 2080 and 2053. This was an anomaly, because the AWS security groups (SGs), which act as firewalls, were configured to allow traffic only through ports 80 and 443, i.e., the HTTP and HTTPS traffic. Further analysis revealed a similar anomaly on multiple Linux systems and the presence of a certain rootkit on all of them.
Usually, a rootkit is a set of tools that perform malicious operations with admin privileges. These tools can be anything including keyloggers, banking credential and password stealers, antivirus disablers, and bots for DDoS attacks. The Cloud Snooper rootkit has tools that facilitate undetected communication with the attacker's command and control (C2) servers through the firewall. This allowed the attackers to access sensitive data through a RAT backdoor, operating at TCP ports 2080 and 2053.
The rootkit has a component known as a communications handler, which played a major role in facilitating communication between malware and the attacker. The handler constantly inspects the HTTP and HTTPS traffic allowed by the firewall. If the source port in the packets is 1010, 2020, 6060, 7070, 8080, or 9999, the handler identifies it as a command from the attackers and redirects it to ports 2080 and 2053.
These are the default ports at which the rootkit has been designed to receive traffic. The rest of the traffic is allowed to pass to ports 80 and 443. The firewalls use the destination ports alone when deciding whether to block or allow incoming traffic, as the source ports can be ephemeral; the attackers had no worries of being discovered.
In reverse communication, the handler collects data stolen by malware from ports 2080 and 2053, rewrites the source ports as 80 or 443, and sends it through the firewall back to the C2 servers of the attackers.
This attack has been carried out using the same or slightly modified rootkits on multiple Linux hosts and even a Windows host, too. The code for the backdoor in Windows is based on the infamous Gh0st RAT, which is capable of assuming complete control of the device. It's unclear how the rootkit first found its way onto the compromised systems, but security experts believe it may have been installed during an exploit of unpatched systems or by a brute-force attack on password-protected Secure Shell (SSH) channels.
Here are a few indicators of compromise (IoCs) for detecting Cloud Snooper in your cloud environment:
| Open ports on local hosts | 2080, 10443 (TCP); 2053(UDP). |
| Inbound connections from the remote ports | 1010, 2020, 6060, 7070, 8080, 9999 |
| Domains | cloud.newsofnp.com, ssl.newsofnp.com |
| IP addresses | 62.113.255.18 89.33.246.111 |
| File names | /tmp/rrtserver-lock /proc/sys/rrootkit /tmp/rrtkernel.ko /usr/bin/snd_floppy |
| Kernel module | snd_floppy |
Collecting and analyzing logs from your cloud environment can help you detect these IoCs at an early stage and minimize damage. Cybersecurity solutions such as a security information and event management (SIEM) tool can detect and mitigate these attacks with real-time alerts, automatic remediation workflows, anomaly detection, and more.
Cloud Snooper is considered unique, because it not only remained inconspicuous, but it also attacked both Windows and Linux at the same time, demonstrating the multi-platform nature of modern cyberattacks. This rootkit's abilities are not limited to bypassing AWS SGs. It can also communicate with and control compromised machines on any platform, on any OS, behind any firewall boundary.
Ensure your systems are regularly patched and your SSH channels are protected with complex passwords. Read more on SSH Linux attacks here. You also need maximum visibility into your network and its data in order to detect incidents as early as possible.
ManageEngine Log360 is a SIEM solution that extensively audits firewalls, routers, switches, applications, file servers, web servers and much more, giving you complete visibility into both on-premises and popular cloud platforms like AWS. You can leverage Log360's capabilities such as real time alerting, quick search, and correlation, to identify IoCs of various attacks.
Log360 also offers an incident management module that helps prioritize and resolve security incidents and a threat intelligence platform that brings in dynamic threat feeds for security monitoring. Learn more about Log360 today.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
