Intelligence & Analysis report: Attacks leveraging the Cloud
“The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are linked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications or deliver content or a service such as streaming videos, web email, office productivity software or social media.” - Microsoft Azure
Cloud services are increasingly being leveraged by cybercriminals and advanced persistent threat groups in attack campaigns. These cloud services include consumer accounts for OneDrive, Google Drive, DropBox, compromised SharePoint and GSuite accounts, as well as the Discord CDN. These are leveraged to host malicious files, phishing pages, redirector links, and other parts of attack campaigns. These services are often used for business operations and are regarded as safe by default by most detection systems. Any threat actor can leverage these services for free or could compromise user accounts.
The most common types of cybercrime leveraging the cloud includes phishing for malware deployment and credential harvesting. Phishing emails often appear as “Shared File” notifications (examples further down). The user will receive a link to a OneDrive or Google Drive file store that often contains a malicious macro-enabled Office document. If opened and the macros are enabled, additional malicious payloads are downloaded. These same “Shared File” notifications (and others like it) may also ask you to enter credentials to a fake Office 365 login page to access it, compromising the user account. The goal here is to establish a foothold in a target organisation. This can either be sold on underground forums or used for further post-exploitative activities such as business email compromise (BEC), ransomware, or intellectual property theft.
Case Study 1: Cloud for Credential Harvesting
Online forms created with cloud services are one of the common types of credential harvesting phishing tools. The attackers can create forms for free, that are intended for surveys, to collect email addresses and passwords from their targets. This is a fairly simple attack but what makes it difficult to defend against is that the services are trusted and run on the systems used for business operations.
Figure 1. AT&T credential harvesting phishing forms using Google Forms. (source)
Figure 2. Office 365, OneDrive, Outlook credential harvesting via Typeforms. (source)
Figure 3. Graphic design tool, Canva, used to host phishing links. (source)
Case Study 2: Abusing the Discord Content Delivery Network for malware
In July 2020, Cyjax researchers observed a recent malicious spam campaign pushing commodity malware such as the AgentTesla infostealer and AveMaria remote access Trojan (RAT). This campaign was notable due to its reliance on Discord, the instant messaging and VoIP application, to host its payloads. The attackers use ‘cdn.discord.com’ to store the files: in simple terms, this is where Discord hosts images and other files. Because Discord does not moderate the content hosted on the platform, it has become an ideal tool for malspam campaigns. (source)
Case Study 3: TA505 abusing the Cloud
An organised cybercriminal group, tracked as TA505, has launched multiple attack campaigns using “Shared File” notifications. Firstly, the threat actors send a phishing email, usually with a compromised account, that masquerades as a shared file notification. The email contains a link to a cloud file storage, typically containing a macro-enabled Office document. MSTIC closely tracks TA505 and stated that “these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.”
Figure 4. Fake “Shared File” notifications in TA505 phishing lures. (source)