Malware hosted on Pastebin, delivered by CloudFront
Amazon’s CloudFront is being used to host Command & Control (C&C) infrastructure for a ransomware campaign that has successfully hit at least two multinational companies in the food and services sectors, according to a report by security firm Symantec.
“Both [victims were] large, multi-site organizations that were likely capable of paying a large ransom” Symantec said, adding that the attackers were using the Cobalt Strike commodity malware to deliver Sodinokibi ransomware payloads.
The CloudFront content delivery network (CDN) is described by Amazon as a way to give businesses and web application developers an “easy and cost effective way to distribute content with low latency and high data transfer speeds.”
Users can register S3 buckets for static content and and EC2 instances for dynamic content, then use an API call to return a CloudFront.net domain name that can be used to distribute content from origin servers via the Amazon CloudFront service. (In this case, the malicious domain was d2zblloliromfu.cloudfront.net).
Like any large-scale, easily accessible online service it is no stranger to being abused by bad actors: similar campaigns have been spotted in the past.
Malware was being delivered using legitimate remote admin client tools, Symantec said, including one from NetSupport Ltd, and another using a copy of the AnyDesk remote access tool to deliver the payload. The attackers were also using the Cobalt Strike commodity malware to deliver the Sodinokibi ransomware to victims.
The attackers also, unusually, scanned for exposed Point of Sales (PoS) systems as part of the campaign, Symantec noted. The ransom they demanded was significant.
“The attackers requested that the ransom be paid in the Monero cryptocurrency, which is favored for its privacy as, unlike Bitcoin, you cannot necessarily track transactions. For this reason we do not know if any of the victims paid the ransom, which was $50,000 if paid in the first three hours, rising to $100,000 after that time.”
Indicators of Compromise (IoCs)/bad domains etc. can be found here.
With ransomware predicted by Cybersecurity Ventures to hit a business every 11 seconds this year, businesses should ensure that they have robust backups.
As Jasmit Sagoo from security firm Veritas puts it: “Companies… have to take their data back-up and protection more seriously as a source of recovery.
“The ‘3-2-1 rule’ is the best approach to take.
“This entails each organisation having three copies of its data, two of which are on different storage media and one is air-gapped in an offsite location. With an offsite data backup solution, businesses have the option of simply restoring their data if they are ever locked out of it by criminals exploiting weaknesses in systems. Realistically, in today’s world, there’s no excuse for not being prepared.”