A sophisticated cyber-espionage campaign known as HazyBeacon is targeting government entities in Southeast Asia, utilizing AWS Lambda Function URLs to execute stealthy command-and-control operations. The campaign, tracked as CL-STA-1020, exemplifies the growing trend of leveraging cloud services for malicious activities.
Innovative Use of Cloud Infrastructure
Security experts at Qualys have identified that attackers are exploiting AWS serverless functions and compromised cloud credentials to merge harmful activities within trusted AWS frameworks. This blending makes it challenging for traditional security systems to detect.
Previously, malware operations depended on attacker-owned servers, which were susceptible to blocking through IP or domain reputation. HazyBeacon, however, introduces a cloud-native approach, embedding its infrastructure within legitimate cloud services and using AWS-hosted Lambda Function URLs for communication.
Exploiting AWS Lambda Function URLs
The primary tactic involves manipulating AWS Lambda Function URLs configured with AuthType: NONE, which allows public access without authentication. These endpoints provide a straightforward HTTPS interface, bypassing the need for additional tools like API Gateway, thus reducing detection risks.
Attackers capitalize on stolen Identity and Access Management (IAM) credentials to establish Lambda functions in compromised accounts, configure public URLs, and use these for encrypted malware communications. The traffic, appearing legitimate due to the trusted AWS domain, poses a significant challenge for defenders.
Defense Strategies and Future Implications
HazyBeacon’s strategy aligns with a borrowed-infrastructure model, where adversaries use third-party cloud environments for their operations. This includes stealing IAM keys via phishing, deploying infrastructure using AWS APIs, and establishing public Function URLs for data transmission.
The malware operates as a lightweight backdoor, gathering system profiles, executing commands remotely, and extracting sensitive information. The campaign underscores the need for robust IAM practices, including key rotation and multi-factor authentication, to prevent unauthorized access.
Organizations are advised to implement comprehensive logging through AWS CloudTrail and monitor VPC flow logs to detect suspicious activities. Additionally, applying Service Control Policies (SCPs) to restrict public Lambda Function URLs and tracking unusual cost spikes can help mitigate risks.
As attackers continue to exploit cloud services for increased stealth and scalability, it is crucial for organizations to focus on identity-centric security measures, ongoing configuration assessments, and behavioral analysis of cloud operations.
