Today Jigsaw Security put out an alert in which we have noted a shift in APT28 (Sofacy) activity. This marks the second time in a week that our team noted that this threat actor is using AWS to spread malicious code and farther their campaign.
We have noted and warned our end users from white-listing AWS even though it may affect legitimate services by blocking legitimate websites. Our Jigsaw Sensor will allow good traffic but will block known back domains and IP destinations. We have observed many companies whitelisting AWS and Azure as examples even though these environments are known to be hosting APT malware. We highly recommend not white-listing these cloud hosting environments as you will open your network up to malicious activity when doing so.
In addition the Coldroot APT is being hosted in Vultr (another popular hosting provider). Just because the hosting provider is well known doesn't mean that threat actors won't use the hosting providers infrastructure to carry out attacks.
For more information
For more information on this threat and to see what malware is being hosted in Amazon, Azure, Vultr and other cloud providers, login to Jigsaw Security threat intelligence or cross reference in the threat feed/
See this specific event for examples of this activity.