Light Dark
February 26, 2020 By David Bisson 2 min read

Security researchers discovered a new attack they’re calling “Cloud Snooper” that uses innocent-looking requests to bypass the rules of many, if not most, firewalls.

SophosLabs launched an investigation into the Cloud Snooper campaign when it discovered an anomaly. Specifically, it found that a compromised Linux system with Amazon Web Services (AWS) security groups tuned only for inbound HTTP and HTTPS traffic was still listening for inbound connections on ports 2080/TCP and 2053/TCP. A closer look revealed a rootkit that helped attackers communicate with a backdoor.

Researchers at the security firm analyzed this activity and observed that the attackers had sent innocent-looking requests to the web server via other normal web servers in an attempt to avoid detection by a firewall. A listener picked up on those requests before they reached the web server and then sent a “reconstructed” command to the backdoor for the purpose of stealing sensitive data. The rootkit then disguised its communication once again to exfiltrate the information and ultimately send it back to a command-and-control (C&C) server operated by the attackers.

Firewall Bypasses A-Plenty

Cloud Snooper is not the first attack in which malicious actors have attempted to bypass firewall rules. Back in 2017, for instance, Microsoft warned of a new technique in which the PLATINUM group abused Intel’s Active Management Technology to bypass firewalls and other endpoint-based network monitoring tools.

In February 2018, NewSky Security spotted the DoubleDoor internet of things (IoT) botnet using two backdoor exploits to evade detection by a firewall. More recently, in August 2019, Proofpoint observed the SystemBC malware creating proxies on infected computers, paving the way for other malware payloads to bypass firewalls and similar tools.

How to Defend Against the Cloud Snooper Attack

To combat campaigns such as the Cloud Snooper attack described here, security professionals should start by investing in tools that can analyze network traffic in real time. This visibility is crucial for detecting unapproved devices as well as potential exfiltration of sensitive data. Additionally, infosec personnel should make sure their network’s “crown jewels” are configured to generate alerts individually so they can watch for anomalous behavior.

 |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

February 5, 2025

Stress-testing multimodal AI applications is a new frontier for red teams

5 min read - Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different "modes" of information into a consolidated picture of reality.We’ve now reached the point where artificial intelligence (AI) can do the same, at least to a degree. Much like our brains, multimodal AI applications process different types — or modalities — of data. For example, OpenAI’s ChatGPT 4.0 can reason across text, vision and audio, granting…

February 5, 2025

Cybersecurity awareness: Apple’s cloud-based AI security system

3 min read - The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns created by the technology, especially as AI is used in cloud systems. Apple addresses AI’s security and privacy issues head-on with its Private Cloud Compute (PCC) system.Apple seems to have solved the problem of offering cloud services without undermining user privacy or adding additional layers of insecurity. It had to do so, as Apple needed to create a cloud infrastructure…

February 4, 2025

How AI-driven SOC co-pilots will change security center operations

4 min read - Have you ever wished you had an assistant at your security operations centers (SOCs) — especially one who never calls in sick, has a bad day or takes a long lunch? Your wish may come true soon. Not surprisingly, AI-driven SOC “co-pilots” are topping the lists for cybersecurity predictions in 2025, which often describe these tools as game-changers.“AI-driven SOC co-pilots will make a significant impact in 2025, helping security teams prioritize threats and turn overwhelming amounts of data into actionable…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature