Hunting Chaos: Cloud Misconfigs & SOCKS Proxy Detection
Just saw the Darktrace report on the new Chaos variant pivoting to misconfigured cloud environments. It's interesting to see it move away from just targeting routers and edge devices. The addition of a SOCKS proxy capability is particularly concerning, as it turns a compromised compute instance into a relay for further attacks.
I've started tuning our detection logic to catch this. Since Chaos often targets Linux-based cloud VMs, I'm focusing on process anomalies and unexpected network listeners. Here is a quick bash snippet to check for processes with hidden names, which is a common tactic for this malware:
ps aux | awk '{print $11}' | sort -u | grep -E "^\[.*\]$"
For those of you using Microsoft Sentinel, I've whipped up a KQL query to help spot potential SOCKS proxy traffic by monitoring unusual outbound connections on non-standard ports often used for tunneling:
DeviceNetworkEvents
| where RemotePort in (1080, 3128, 8080, 9050) and ActionType == "ConnectionAccepted"
| summarize count() by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| where count_ > 10
Has anyone seen this variant in the wild yet? I'm curious if the initial access vector is purely brute force on open ports or if they are exploiting specific CVEs in cloud management agents.
We've seen a similar uptick in our honeypots. The initial access seems to be purely brute-forcing SSH on exposed instances rather than a specific 0-day.
I recommend enforcing AllowTcpForwarding no in your sshd_config if you don't need it. It stops them from turning the host into a proxy immediately even if they get in.
Good catch on the SOCKS proxy. Another angle is to monitor for binary execution in /tmp or /dev/shm. Chaos often drops its payload there to avoid detection.
You can use Falco rules to alert on this behavior:
- rule: Executing from World Writable Directory
desc: Detect execution of binaries from /tmp or /dev/shm
condition: >
spawn_process and
proc.cwd in (/tmp, /dev/shm) and
not proc.name in (known_allowed_processes)
output: "Suspicious execution from writable dir (user=%user.name command=%proc.cmdline)"
priority: WARNING
I'm less worried about the malware itself and more about the misconfiguration aspect. If your cloud instances are open to the world via public IPs, it's only a matter of time.
We strictly use Bastion hosts or AWS Systems Manager Session Manager. Removing the SSH gateway entirely stops these bots at the door.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access