Intelligence & Analysis report: Attacks leveraging the Cloud

-

The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are linked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications or deliver content or a service such as streaming videos, web email, office productivity software or social media.” - Microsoft Azure

Cloud services are increasingly being leveraged by cybercriminals and advanced persistent threat groups in attack campaigns. These cloud services include consumer accounts for OneDrive, Google Drive, DropBox, compromised SharePoint and GSuite accounts, as well as the Discord CDN. These are leveraged to host malicious files, phishing pages, redirector links, and other parts of attack campaigns. These services are often used for business operations and are regarded as safe by default by most detection systems. Any threat actor can leverage these services for free or could compromise user accounts.

The most common types of cybercrime leveraging the cloud includes phishing for malware deployment and credential harvesting. Phishing emails often appear as “Shared File” notifications (examples further down). The user will receive a link to a OneDrive or Google Drive file store that often contains a malicious macro-enabled Office document. If opened and the macros are enabled, additional malicious payloads are downloaded. These same “Shared File” notifications (and others like it) may also ask you to enter credentials to a fake Office 365 login page to access it, compromising the user account. The goal here is to establish a foothold in a target organisation. This can either be sold on underground forums or used for further post-exploitative activities such as business email compromise (BEC), ransomware, or intellectual property theft.

Case Study 1: Cloud for Credential Harvesting

Online forms created with cloud services are one of the common types of credential harvesting phishing tools. The attackers can create forms for free, that are intended for surveys, to collect email addresses and passwords from their targets. This is a fairly simple attack but what makes it difficult to defend against is that the services are trusted and run on the systems used for business operations. 

Figure 1. AT&T credential harvesting phishing forms using Google Forms. (source)

Figure 2. Office 365, OneDrive, Outlook credential harvesting via Typeforms. (source)

Figure 3. Graphic design tool, Canva, used to host phishing links. (source)

Case Study 2: Abusing the Discord Content Delivery Network for malware


In July 2020, Cyjax researchers observed a recent malicious spam campaign pushing commodity malware such as the AgentTesla infostealer and AveMaria remote access Trojan (RAT). This campaign was notable due to its reliance on Discord, the instant messaging and VoIP application, to host its payloads. The attackers use ‘cdn.discord.com’ to store the files: in simple terms, this is where Discord hosts images and other files. Because Discord does not moderate the content hosted on the platform, it has become an ideal tool for malspam campaigns. (source)


Case Study 3: TA505 abusing the Cloud


An organised cybercriminal group, tracked as TA505, has launched multiple attack campaigns using “Shared File” notifications. Firstly, the threat actors send a phishing email, usually with a compromised account, that masquerades as a shared file notification. The email contains a link to a cloud file storage, typically containing a macro-enabled Office document. MSTIC closely tracks TA505 and stated that “these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.”


Figure 4. Fake “Shared File” notifications in TA505 phishing lures. (source)

Case Study 4: Abuse of FireFox Send

ZDNet reported that Mozilla Firefox had abruptly suspended its cloud file sharing service called Firefox Send. This came after numerous reports of it being leveraged in malware campaigns as a powerful distribution method. All files uploaded and shared through Firefox Send are stored in an encrypted format, and users can configure the amount of time the file is saved on the server and the number of downloads before the file expires. Firefox Send has been used to store payloads for all sorts of cybercrime operations, such as those linked to FIN7, REVil (Sodinokibi), Ursnif (Dreambot), and Zloader. These are just some of the few malware gangs and strains that have been seen leveraging the service. (source)


Figure 5. Firefox Send leveraged for malware campaigns. (source)

Case Study 5: Using Cloud for Command and Control servers

In August 2020, cybercrime investigators, Group-IB, uncovered an industrial espionage campaign linked to a Russian APT that specialises in infiltrating foreign enterprises to steal confidential corporate documents. The group, known as RedCurl, launched 26 attacks against 14 firms without being detected. This was largely due to the use of custom hacking tools and copying the TTPs of professional penetration testers. For this campaign the RedCurl APT relied heavily on cloud services. Rather than have endpoints it had infected connect directly to command-and-control servers, the attackers routed communications via legitimate cloud-storage services - such as cloudme.com, koofr.net, pcloud.com, idata.uz, drivehq.com, driveonweb.de, opendrive.com, powerfolder.com, docs.live.net, syncwerk.cloud, cloud.woelkli.com and framagenda.org. These were used to store RedCurl’s macro-enabled Office documents. It also used the MultiCloud platform for managing and accessing storage space from the various services. (source)


Case Study 6: North Korean state-sponsored attack campaign using Google Drive

South Korean cyber defence firm, EST Security, reported that the North Korean threat group known as Thallium (also known as Kimsuky or Smokescreen) has launched multiple new campaigns on the Korean peninsula and across the Asia Pacific region. The North Korean threat actors used tailored spear-phishing emails with Google Drive links. Inside the Google Drive links are malicious DOC and HWP document files that contain embedded macros. Thallium’s most recent phishing lures masquerade as research papers on Kaesong Industrial Complex workers as well as decoy submissions for research papers in Asia Pacific countries. (source)


ANALYSIS: 

Free cloud file storage platforms are increasingly being adopted by cybercriminals. This is largely due to their wide availability and the lack of up-front investment that is required, as well as the fact that these platforms preserve the anonymity of their users and can be set up in very little time. The use of cloud services provide difficulties for automated detection systems. They are also difficult for human SOC analysts as traffic coming to and from these services appear legitimate. Compromised or threat actor-created cloud services also typically require human analysts to submit takedown requests. This requires security expertise and it takes time, something that many organisations lack.

MITIGATION: 

One way defenders can protect against cloud-based attacks is via checking for things like Discord CDN, Google Forms, or other cloud services that are not used for business operations. It may be prudent to check exactly what services are being used here. Defenders, however, cannot always block these cloud services. This is because it causes issues as the crux of this problem is that these services are used for legitimate reasons. They are allowed by default and therefore, pass through secure email gateways (SEG) undetected.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more