Attack Methodology and Custom Tooling
Security analysts have uncovered a targeted intrusion campaign that leverages a Cloudflare hosted storage endpoint to exfiltrate data from compromised networks without triggering alarms. The operation targeted multiple Malaysian government organizations and at least one private sector company, demonstrating a level of planning well beyond typical opportunistic attacks.
The threat actor deployed custom Python scripts tailored specifically to each target environment, with each tool designed for a distinct task. This bespoke approach indicates a skilled operator who prioritizes operational security. The attacker controlled infrastructure is hosted on a Microsoft Azure virtual machine located in the Malaysia West region. Researchers discovered that this infrastructure contained a large collection of attack tools that had not yet been cleaned up, providing valuable insight into the operation.
Impact and Scope
The campaign involved multiple components including database access, internal network mapping, live webshell deployment, and credential theft. The key element tying these together was the use of a Cloudflare storage endpoint as the final destination for stolen files. By routing exfiltrated data through a widely trusted cloud service, the attacker could blend malicious outbound traffic with legitimate cloud activity and evade standard network monitoring.
The impact has been significant. Domain controller credentials were confirmed stolen, active webshells were found on at least one government server, and researchers identified a chained exploit targeting a mobile network operator’s customer verification platform. These findings paint a picture of a well-resourced actor working methodically across multiple targets simultaneously.
Source: Cyber Security News
