A sophisticated cyber-espionage campaign, identified as HazyBeacon, has been targeting Southeast Asian government networks by exploiting Amazon Web Services (AWS) Lambda Function URLs to establish covert command-and-control (C2) channels. This method allows attackers to blend malicious traffic with legitimate AWS operations, significantly complicating detection efforts.
Traditionally, malware communicates with attacker-controlled servers, which can be blocked based on known malicious IP addresses or domains. However, HazyBeacon represents a shift towards cloud-native C2 infrastructures. In this campaign, compromised systems communicate with AWS-hosted Lambda Function URLs, making the traffic appear benign to most security tools and effectively bypassing conventional network defenses.
Exploitation of AWS Lambda Function URLs
The core of this attack lies in the misuse of AWS Lambda Function URLs configured with ‘AuthType: NONE,’ allowing public, unauthenticated access. These endpoints provide a straightforward HTTPS interface without the need for API Gateway or load balancers, reducing visibility and operational overhead.
Attackers exploit stolen IAM credentials to create Lambda functions in compromised AWS accounts, configure public Function URLs, and use these functions as proxies to relay encrypted communications from malware. A typical malicious endpoint resembles: ‘https://[function-id].lambda-url.[region].on.aws.’ Because it uses the trusted ‘on.aws’ domain, the traffic appears legitimate, creating a ‘lookalike’ problem for defenders.
The attack chain includes:
- Credential compromise: IAM keys are stolen from exposed repositories or phishing campaigns.
- Infrastructure deployment: Attackers create Lambda functions using legitimate AWS APIs.
- Relay setup: Public Function URLs are enabled for command transmission.
- C2 communication: Malware sends encrypted requests to Lambda, which forwards them to attacker-controlled servers and relays responses back.
Infected systems communicate with attacker infrastructure through AWS Lambda relays, masking the true command-and-control destination behind legitimate cloud traffic. HazyBeacon is a lightweight backdoor that profiles systems, executes remote commands, and exfiltrates data, including documents and keystrokes.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should focus on enhancing visibility and access control:
- Enforce strong IAM hygiene: Implement key rotation and multi-factor authentication to protect against credential compromise.
- Enable AWS CloudTrail logging: Activate logging across all regions to detect unauthorized API activity.
- Monitor VPC flow logs: Identify unusual proxy-like traffic patterns that may indicate malicious activity.
- Apply Service Control Policies (SCPs): Restrict the creation of public Lambda Function URLs unless explicitly approved.
- Track cost anomalies: Large-scale C2 relays can lead to unexpected increases in AWS costs, serving as a potential indicator of compromise.
HazyBeacon underscores the evolving tactics of cyber adversaries who leverage legitimate cloud services to obfuscate their operations. As attackers continue to innovate, it is imperative for organizations to adopt comprehensive security measures that encompass both traditional and cloud-native environments.
