Malware Campaign Hijacks AWS Lambda Function URLs for Stealth C2 Targeting Southeast Asian Governments
What Happened — Threat actors leveraged stolen AWS IAM credentials to create Lambda functions with public Function URLs (AuthType = NONE). These serverless endpoints acted as covert command‑and‑control relays for the HazyBeacon malware, allowing encrypted traffic to blend with legitimate AWS HTTPS traffic.
Why It Matters for TPRM —
- Cloud‑native C2 bypasses traditional network perimeter controls, exposing third‑party cloud providers to abuse.
- Mis‑configured serverless services can become “borrowed infrastructure,” turning a trusted vendor into an attack vector.
- Organizations that rely on AWS for critical workloads must verify that their cloud accounts enforce strict identity and configuration hygiene.
Who Is Affected — Government agencies in Southeast Asia; any enterprise using AWS Lambda Function URLs without restrictive authentication (CLOUD_HOST, GOV_PUBLIC).
Recommended Actions —
- Enforce identity‑centric access controls (least‑privilege IAM policies).
- Disable public Lambda Function URLs or require IAM authentication.
- Enable global CloudTrail logging, VPC Flow Logs, and Service Control Policies to monitor and restrict Lambda URL creation.
- Deploy continuous configuration monitoring (e.g., Qualys TotalCloud) to detect open Function URLs.
Technical Notes — Attack vector: stolen IAM credentials → deployment of Lambda functions with AuthType: NONE. The technique maps to MITRE ATT&CK T1608.003 (Serverless Execution) and T1078 (Valid Accounts). No specific CVE; the abuse stems from default permissive settings of Lambda Function URLs. Source: Qualys Blog – HazyBeacon AWS Lambda Abuse