Cloud Snooper is a new malware that is capable of compromising the security of Linux based servers by deploying a kernel driver, which according to SophosLab report, bypasses firewall security measures.
While Linux has been touted as a highly secure operating system, there are still some downside that challenges its security architectures; albeit perhaps, the compromised systems in the SophosLab report were running both Linux and Windows EC2.
Simply by deploying the Cloud Snooper malware, attackers can execute commands on the network servers, with the malware residing on the server underneath the administrator’s oversight.
How the Cloud Snooper Malware was Discovered?
SophosLabs during the course of investigating a malware incidence on cloud infrastructure hosted in the Amazon Web Services (AWS) cloud, discovered a sophisticated attack pattern that employed unique techniques to evade detection, allowing the malware to freely communicate with its command and control (C2) servers via a firewall, which under normal circumstances, should have prevented that kind of communication.
Though the problem is not an AWS issue, but the technique in use on AWS represents a method of piggybacking C2 traffic on legitimate traffic, such as web traffic, which in a way can bypass many, if not most, firewalls.
The team from Sophos used a bespoke APT (Advanced Persistent Threat) toolset which gives them reason to believe that the malware and its operators were pretty advanced threat actors, and possibly government-backed attackers.
How Cloud Snooper Malware Infects The Servers?
The attackers exploited the Linux kernel driver file called “snd_floppy” which is declared dead years ago, but in this case it's only a tricking name and has nothing to do with any hardware support.
It must have perhaps chosen the name to add to its complexity, by feigning similarity with other Linux drivers that share same initials starting with “snd” like snd_hda_intel, snd_pcm, snd_hda_codec, and snd_timer. And the attacker employs an in-band signaling method with the hidden command script running in the regular network traffic data to perform the harmful actions.
The secret data is then extracted from the network traffic by the snd_floppy driver file, which the attackers deployed and uses the 16-bit TCP source port to send the command to bypass the detection from firewalls.
In order to Secure your Server From Cloud Snooper Attack, it is recommended that you modify your current security rules for firewall to detect and block packets from illegitimate source ports.
And if the firewall fails to restrict the entry of infected files, you can add a second layer of security to prevent script execution. Additionally, you should use any tool that is capable of monitoring and detecting the infected kernel drivers or any unwanted programs running on your server.