"Cloud Snooper" Attack Bypasses Firewall Security Measures (Feb 25, 2020)
Researchers at Sophos Labs have released a report on a new attack called “Cloud Snooper.” The attack uses sophisticated techniques to smuggle command and control (C2) traffic through firewalls. The technique involves compromising a server with a public-facing service, for example, a web server. The server is infected with a rootkit that intercepts incoming network packets and checks the source port in the IP header for some magic values. The rootkit sends different C2 instructions to the backdoor, also installed by the rootkit, depending on the different source port values. This allows the threat actor to communicate with the C2 server through what appears to be legitimate traffic.
Recommendation: It’s recommended to ensure all services with open (listening both on TCP and UDP) ports are legitimate and expected services. The backdoor by default uses TCP/2080 and UDP/2053 but this can be configured. It’s also recommended to check the inbound traffic for anomalies. The source port is randomly selected by the operating system when a network socket is opened. As a result, source ports should not appear to follow a pattern.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.