Sophos discovered the attack while inspecting infected Linux and Windows EC2-based cloud infrastructure servers running in Amazon Web Services. The attack, which Sophos says is likely the handiwork of a nation-state, uses a rootkit that gave the attackers remote control of the servers. The rootkit also allowed the C2 servers to remotely control servers physically located in the organization as well. “The firewall policy was not negligent, but it could have been better,” said Sophos researcher Chet Wisniewski.”]
Source: https://www.darkreading.com/cloud/-cloud-snooper-attack-circumvents-aws-firewall-controls