HazyBeacon Campaign Abuses AWS Lambda for Covert Communications
The HazyBeacon campaign is weaponizing Amazon Web Services (AWS) Lambda functions to establish covert command and control channels targeting government networks in Southeast Asia.
A sophisticated malware campaign dubbed HazyBeacon is leveraging Amazon Web Services (AWS) to create stealthy communication channels, posing a significant threat to government networks in Southeast Asia. This campaign, also tracked as CL-STA-1020, circumvents traditional defenses by embedding malicious infrastructure within legitimate cloud services, making it difficult for security teams to distinguish between normal and malicious traffic.
The core of the HazyBeacon campaign's technique involves compromising unrelated AWS accounts and deploying serverless AWS Lambda functions. These functions are configured to act as hidden relay points for command and control (C2) communications. The attackers exploit a feature called Lambda Function URLs, specifically opting for the 'AuthType: NONE' configuration. This allows any internet-connected device to invoke the function without authentication, effectively turning it into an open relay that appears as a standard HTTPS connection to AWS infrastructure.
Researchers from Qualys, building on earlier work by Palo Alto Networks Unit 42, detailed how HazyBeacon operates. Once a victim's Windows machine is infected, the malware functions as a lightweight backdoor. It gathers essential system information such as hostnames, IP addresses, and user privileges. This data is then used to receive encrypted commands from the attackers, which can range from executing arbitrary shell instructions to downloading additional malicious payloads. The malware also silently exfiltrates sensitive data, including stolen documents and captured keystrokes, back to the threat actors.
A critical aspect of HazyBeacon's operation is that it does not exploit vulnerabilities within AWS itself. Instead, the campaign relies on the theft of static Identity and Access Management (IAM) access keys. These keys are often exposed through public GitHub repositories or acquired via phishing campaigns. With these stolen credentials, attackers can provision and deploy malicious Lambda functions within compromised AWS accounts, often in less scrutinized AWS regions to evade detection.
The abuse of AWS Lambda Function URLs, introduced in April 2022, is central to this campaign. These URLs provide a direct internet endpoint for serverless functions without the need for intermediate services like API Gateway. By choosing the 'AuthType: NONE' option, attackers can quickly establish a public HTTPS relay. The domain name of these function URLs typically ends in 'on.aws,' further aiding in the camouflage of malicious traffic as legitimate AWS service activity.
The relay mechanism works by having the infected malware send encrypted HTTP POST requests to a Lambda Function URL hosted within a compromised AWS account. The Lambda function then strips away the original headers and forwards the payload to the attacker's actual backend server. The response follows the same path back to the malware. This sophisticated relay system means that neither the compromised AWS account owner nor the victim organization may realize they are part of the attack until unexpected billing charges or abuse notifications arise.
Defending against HazyBeacon requires a multi-layered approach focused on cloud security best practices. Strong IAM hygiene is paramount, including disabling unused access keys, enforcing regular key rotation, and mandating multi-factor authentication for all cloud accounts. Comprehensive logging with AWS CloudTrail across all regions is essential to detect unauthorized API calls related to Lambda function and Function URL creation. Additionally, implementing Service Control Policies (SCPs) at the AWS Organization level can prevent the deployment of Lambda Function URLs with 'AuthType: NONE' unless explicitly permitted.
Further detection and prevention strategies include monitoring for anomalous costs in AWS billing, as high invocation volumes from a relay can lead to significant spikes. Routing Lambda workloads through a Virtual Private Cloud (VPC) can also provide an additional layer of visibility, as relay traffic often exhibits a distinct one-to-one inbound-to-outbound pattern in VPC flow logs. By combining these technical controls with vigilant monitoring, organizations can better defend against cloud-native threats like HazyBeacon.