APT41, a sophisticated cyber threat group, has developed a new Winnti-related backdoor targeting Linux cloud servers. This malware is designed to steal credentials from major cloud providers including AWS, Azure, Alibaba Cloud, and GCP by exploiting metadata services and local credential stores.
Key features of the malware include:
- Encryption of stolen secrets using AES-256.
- Exfiltration via an SMTP-based command-and-control (C2) channel that employs a selective handshake mechanism to avoid detection.
- Lateral movement within cloud networks through UDP broadcast beacons on port 6006.
To mitigate this threat, cybersecurity experts recommend:
- Tightening controls around outbound SMTP traffic from non-mail workloads.
- Monitoring for unusual UDP broadcasts to port 6006.
- Auditing access to metadata services and local credential stores.
- Hunting for suspicious ELF binaries in temporary paths like /tmp, /var/tmp, and /dev/shm.
Cloud teams are also advised to:
- Enable cloud audit logs.
- Enforce stronger protections such as IMDSv2 on AWS.
- Closely review IAM role usage from unexpected source IPs.
Read the full article at Cyber Security News
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
2
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
