CTI Project: Threats Leveraging Legitimate Services
Legitimate third-party Platform-as-a-Service (PaaS) providers are becoming increasingly leveraged by threat actors for phishing and malware deployment. PaaS providers such as cloud instances, marketing platforms, content delivery networks (CDN), and dynamic DNS servers have been weaponised for a range of malicious activities. One of the key benefits is that they can be used to evade detection systems. This is due to the decreased likelihood of these being pre-emptively blocked because of established levels of trust and legitimate usage. Many of these types of malware and phishing campaigns also combine the use of multiple platforms simultaneously, making these particularly difficult for human analysts and automated systems to identify and malicious activity. The research in this blog details how cybercriminals l everage these systems as credential harvesting pages, payload hosting sites, redirector links, C&C servers, "dead drop resolvers", and for data exfiltration.