Researchers Demonstrate New Cloud Snooper Attack That Bypasses Firewall Security Measures
- The attack can allow malware on servers to communicate freely with its command and control servers through firewalls.
- The inbound traffic to the target server is intercepted using a specially-crafted request designed to download a backdoor trojan.
A sophisticated attack that uses a unique combination of techniques to allow malware to gain persistence on servers has been reported by researchers. Named as Cloud Snooper, the attack can also allow malware on infected servers to communicate freely with its command and control servers through firewalls.
Important ingredients of the attack
The TTPs used in the attack include:
- A rootkit to circumvent firewalls and to inspect network;
- A rare technique to gain access to servers disguised as normal traffic;
- A backdoor payload that shares malicious code between both Windows and Linux operating systems.
The inbound traffic to the target server is intercepted using a specially-crafted request designed to download a backdoor trojan. The researchers noted that attackers can use the backdoor to steal sensitive data from the target.
“The collected data is then delivered back with the C2 traffic. Only this time, the rootkit has to masquerade it again in order to bypass the guards: the wolf dresses itself in sheep’s clothing once again. Once outside, the C2 traffic delivers the collected data back to the attackers,” added researchers.
SophosLabs researchers note that the case is extremely interesting as it demonstrates the true multi-platform nature of a modern attack. Hence, IT security teams should need to build the security of their critical infrastructure to protect against multi-platform attacks.