How Attackers Exploit Cloud Platforms
Cybercriminals are increasingly turning legitimate cloud services into camouflage for malicious activity. A threat intelligence investigation using ANY.RUN’s Threat Intelligence Lookup found that attackers are actively abusing infrastructure from Amazon Web Services, Google Cloud, Microsoft Azure, Cloudflare, and GitHub to host command and control (C2) servers and disguise their traffic. The investigation analyzed over 50 million indicators of compromise derived from sandbox analyses contributed by more than 500,000 analysts worldwide, revealing that trusted platforms are now commonly used as shields for adversarial operations.
Impact and Detection Methods
One particularly striking finding involved Cobalt Strike beacon traffic. Researchers tracked a specific JA3S TLS fingerprint hash associated with Cobalt Strike and discovered more than 1,000 system events tied to it. The malicious communication primarily relied on native Windows processes like slui.exe, svchost.exe, and PowerShell, exploiting living off the land binaries. All traffic was routed over HTTPS port 443 to blend in with normal enterprise activity. Because the C2 infrastructure was hosted on reputable platforms such as Microsoft, GitHub, Google, Amazon, and Cloudflare, traditional reputation based blocking proved ineffective. Security teams are advised to use JA3S fingerprinting as a behavioral anchor to detect Cobalt Strike infections even when domains and IP addresses change.
Source: Cyber Security News
