Attack Overview
A cyber espionage campaign designated HazyBeacon, tracked as CL-STA-1020, is actively targeting government networks in Southeast Asia. Researchers at Qualys Security uncovered the operation, which exploits AWS Lambda Function URLs as hidden command and control (C2) relays. The attackers leverage misconfigured serverless features and stolen cloud credentials to route malicious traffic through trusted AWS infrastructure, significantly complicating detection efforts.
Technical Mechanics
The attack relies on Lambda Function URLs configured with AuthType: NONE, allowing unauthenticated public access. These endpoints provide a straightforward HTTPS interface without requiring API Gateway or load balancers, minimizing visibility. Attackers use compromised IAM credentials to create Lambda functions in hijacked AWS accounts, set up public Function URLs, and then use these functions as proxies to relay encrypted communications from malware. The resulting endpoints use the legitimate “on.aws” domain, making traffic appear normal to security tools.
Impact and Countermeasures
Infected systems communicate with attacker infrastructure through these Lambda relays, masking the true C2 destination. HazyBeacon functions as a lightweight backdoor that profiles systems, executes remote commands, and steals data including documents and keystrokes. Defenders should enforce strong IAM hygiene with key rotation and multi-factor authentication, enable CloudTrail logging across all regions, monitor VPC flow logs for unusual proxy traffic, and apply Service Control Policies to block publicly accessible Lambda Function URLs. Tracking cost anomalies can also reveal large scale C2 operations generating high invocation volumes.
Source: Cyber Security News
