RSA CONFERENCE 2020 – San Francisco – A recently spotted targeted attack employed a rootkit to sneak malicious traffic through the victim organization’s AWS firewall and drop a remote access Trojan onto its cloud-based servers.

Researchers at Sophos discovered the attack while inspecting infected Linux and Windows EC2-based cloud infrastructure servers running in Amazon Web Services (AWS). The attack, which Sophos says is likely the handiwork of a nation-state, uses a rootkit that not only gave the attackers remote control of the servers but also provided a conduit for the malware to communicate with their command-and-control servers. According to Sophos, the rootkit also could allow the C2 servers to remotely control servers physically located in the organization as well.