CTI Project: Threats Leveraging Legitimate Services
Legitimate third-party Platform-as-a-Service (PaaS) providers are becoming increasingly leveraged by threat actors for phishing and malware deployment. PaaS providers such as cloud instances, marketing platforms, content delivery networks (CDN), and dynamic DNS servers have been weaponised for a range of malicious activities. One of the key benefits is that they can be used to evade detection systems. This is due to the decreased likelihood of these being pre-emptively blocked because of established levels of trust and legitimate usage.
Many of these types of malware and phishing campaigns also combine the use of multiple platforms simultaneously, making these particularly difficult for human analysts and automated systems to identify and malicious activity. The research in this blog details how cybercriminals leverage these systems as credential harvesting pages, payload hosting sites, redirector links, C&C servers, "dead drop resolvers", and for data exfiltration.
An open-source resource in the form of a GitHub repository has been created to accompany this blog. At the time of writing there are over 180 legitimate services listed as being weaponised for all kinds of attacks. This GitHub repository will be continually updated when new services are identified.
In September 2020, I wrote previously about how threat actors are leveraging the cloud to support campaigns (see here). This blog is an extension of that research and documenting the findings that I have observed both firsthand from consulting with clients with my employer and what I have read from security researchers, vendors, and public sector threat reports over the last two years.
Office 365 credential harvesting campaigns
Legitimate services are often exploited to support phishing campaigns targeting Office 365 users. A range of sites are used as credential theft landing pages, media sharing sites are used to host PDF files with embedded links, and URL shortening services and redirection links are used to obscure the threat actors' infrastructure.
The LogoKit campaign exemplifies this type of activity. Phishing emails were sent via SendGrid (an email marketing campaign platform) and used personalised, specially crafted URLs containing the victim's email address. Once visited, the phishing page displays the company logo taken from a third-party service, such as Clearbit or Google's favicon database. To host these LogoKit phishing sites, these threat actors used a range of free or cheap hosting services, such as GitHub, AWS, Google Cloud, Archive.org, and Glitch, among others. [1, 2]
In June 2021, I disclosed an Office 365 phishing campaign leveraging SharePoint accounts and *.hostingerapp[.]com hostnames. I like to call these threat actors the SHopper group (SharePoint Hopper) because for several months they exclusively leveraged the features of compromised SharePoint accounts to share malicious PDF files with embedded *.hostingerapp[.]com links to phish other Office 365 accounts. A variety of organisations were caught in this campaign, including US schools and colleges, engineering firms, professional services, logistics firms, and manufacturers, among others. Acquiring this level of access to a large number of SharePoint accounts at various organisations could lead to subsequent malware, ransomware, or business email compromise (BEC) incidents. 
In February 2021, I wrote a blog on a new wave of credential theft attacks also targeting Office 365 users. They included multiple steps and various legitimate platforms, namely media sharing and document hosting sites (such as *.clickfunnels[.]com or *.larksuite[.]com). In October 2021, the Microsoft 365 Defender Threat Intelligence Team also referenced this research in their blog on 'Franken-phish: TodayZoo built from other phishing kits'. [1, 2]
Initial Access and Ransomware campaigns
Ransomware continues to be the most profitable method of monetising unauthorised access to compromised networks. It is the biggest threat to private and public sector organisations, large and small. In the last three years, we have seen hundreds of hospitals hit by ransomware, as well as other critical infrastructure sector organisations, such as the Colonial Pipeline or JBS foods.
Many of these attacks begin with a malicious spam or spear-phishing email to gain initial access. These malicious emails are often cleverly crafted and the cybercriminals have designed them to bypass detection and evade analysis. Often generic malspam posing, once again, as important documents is sent in vast numbers to lists of collected email addresses, regularly gathered from data breaches. These emails can contain a URL to marketing services, cloud services, or files hosted on CDNs.
In April 2021, I shared my research into malicious spam campaigns pushing the BazarLoader, a malware family associated with the Trickbot Gang (also known as WizardSpider), as well as Conti and Ryuk ransomware operations. From the GitHub repository shared as part of this research (see here), the WizardSpider group appears no less than 17 times. The group seems to prefer using legitimate PaaS providers, cloud services, and CDNs, to host payloads to avoid detection and bypass defences for all the reasons outlined above and in the original blog. 
Multiple other infamous ransomware gangs have leveraged legitimate services in a similar way. This includes the operators of DarkSide (also known as CarbonSpider or FIN7) who used drive[.]google[.]com, azuredge[.]net, and cdn[.]shopify[.]com to support the delivery of the SMOKEDHAM .NET backdoor; the operators of REvil (also known as PinchySpider) who used hastebin[.]com and send[.]firefox[.]com to deliver payloads, and DoppelSpider (the operators of DoppelPaymer and Grief ransomware) who leverage files[.]slack[.]com and cdn[.]discordapp[.]com to push DoppelDridex and Cobalt Strike Beacons. [1, 2, 3, 4, 5]
Cyber-espionage campaigns are regularly reported on in the InfoSec media, but they are often narrow in scope and mostly only impact political and government organisations, critical infrastructure, or military entities. For the many, these campaigns may receive too much attention considering the likelihood of foreign intelligence services actually targeting them. However, the key part of monitoring such campaigns is for the new tactics, techniques, and procedures (TTPs). Very few cyberattacks are truly original. Therefore, when advanced techniques, pioneered by state-backed threat actors, are disclosed, they may later be adopted by cybercriminals looking to upgrade their campaigns.
As of 2020, Dropbox reported having over 700 million users. As a file sharing platform it is used around the world for transferring documents and other digital materials between users. It should come as no surprise that a service this widely adopted is leveraged for some malicious activities. However, state-backed threat actors from Russia, China, and Iran went one step further than using Dropbox to distributed malicious files, but leveraged the Dropbox API (api[.]dropboxdapi[.]com) as a command and control (C&C) channel to camouflage malignant network traffic within the benign. In June 2020, SecureWorks disclosed that Chinese threat actors (known as BRONZE VINEWOOD or APT31) developed a remote access Trojan (RAT) called DropboxAES, which leveraged the file-sharing service for its C&C commmunications. In December 2020, ESET researchers documented that Turla, a Russia-backed APT group, also leveraged the Dropbox API to steal sensitive documents and issue commands to its custom Crutch backdoor. ESET found Crutch on a network of a Ministry of Foreign Affairs in a country of the European Union. More recently, in October 2021, CyberReason disclosed the MalKamak campaign, attributed to Iran, also implemented Dropbox as a C&C platform - potentially inspired by the aforementioned Russian and Chinese APT campaigns. [1, 2, 3]
Another concerning trend in the world of cyber-espionage campaigns is the usage of legitimate remote management and monitoring (RMM) tools often used by managed service providers (MSPs) by advanced persistent threat (APT) groups. In February 2021, Anomali disclosed that the MuddyWater APT group, attributed to Iran, leveraged the OneHub (ws[.]onehub[.]com)file storage site to push the ScreenConnect RAT. The compromised device connects to a *.screenconnect[.]com adversary instance and provides remote control over the victim's system. MuddyWater's ScreenConnect campaign masquerading as the Kuwaiti government and the UAE National Council, indicating the potential targets of this campaign. Seeing connections to ScreenConnect servers could potentially go unnoticed or viewed as legitimate, considering the nature of the tool and who it is usually used by. [1, 2]
In April 2021, I blogged about dead drop resolvers (see here), which are an unusual and traditional espionage inspired method of C&C server communication. A “dead drop” is a well-known spy tactic of communication using mutally agreed upon secret locations, where those involved never actually meet but covertly pass messages. For several years, certain state-backed computer network operations (CNOs) and mercenary APTs have used dead drop resolvers through social media sites, image and video sharing sites, and forums. In October 2019, ESET disclosed that an APT group known as TheDukes (also called APT29 or CozyBear), which operates on behalf of the Russian foreign intelligence service (also known as the SVR), uses dead drop resolvers to hide the C&C communication and server addresses of its PolyGlotDuke malware. In August 2020, Kaspersky uncovered that a mercenary APT, known as DeathStalker, also heavily relied on dead drop resolvers to provide a way to store data at a fixed URL through public posts, comments, user profiles, and content descriptions. Connections to these sites would be viewed as normal day-to-day user behaviour. Defenders would usually have no reason to suspect malicious activity from a user's system contacting YouTube, Reddit, or Instagram. [1, 2]
While reading through threat reports almost everyday for the last two years I noticed that a number of threat actors, from cybercriminals to APT groups, prefer to Dynamic DNS (DDNS) servers as C&C hostnames. DDNS services can rapidly change the IP address of C&C hostnames, which means campaigns last longer. If defenders attempt to submit a takedown request against the host, the adversary can rehost the C&C hostname immediately. There is also no Whois data available when trying to research DDNS hostnames, further benefitting adversaries looking to evade analysis and attribution.Two threat actors stood out to me as groups that have extensively used DDNS services to support malware campaigns. The operators of the JsOutProx RAT were first disclosed in December 2019 by Yoroi and have been active ever since, primarily targeting the financial sector in South Asian countries, as well as Africa and the Middle East. The group is also known as SolarSpider and has leveraged up to seven different DDNS services as C&C servers. This group has seen and focused on the benefits of DDNS to run targeted malware campaigns. Another threat group that also prefers DDNS and free host servers is TA406 (which is linked to Kimsuky). The group used up to 10 different services for C&C hostnames to support spear-phishing espionage and cybercrime campaigns. [1, 2]
From my experience, most threat actors reuse existing malware, infrastructure, and methods in new combinations, or evolve from older techniques. The same adversaries often attack companies in the same industry repeatedly. By using cyber threat intelligence to track which legitimate services are abused in the wild it helps improve the effectiveness of blocking technologies and allows security operations center (SOC) analysts to quickly and accurately decide which alerts require action.
It should be clear that this tactic is leveraged to evade detection due to the level trust previously established and the decreased likelihood of these services being blocked. Media sharing sites, social media platforms, marketing services, and file storage services are often used for business operations and are regarded as safe by default for many detection systems. It is difficult for human SOC analysts as traffic coming to and from these services appear legitimate. Many of the platforms disclosed in the GitHub repository rarely or do not moderate the content hosted on the platform, it has become an ideal tool for malspam campaigns. Further, in some cases, even if the threat actor deletes the file or removes their account, the platform still stores it in its CDN.
The fact that these services are used by some of the most preeminent cybercriminal gangs and experienced APT groups, should signify that it is something to be concerned about. These platforms are often incorporated into carefully designed attacks to slip past detection systems, basic traffic analysis, and when combined with several legitimate platforms simultaneously, become very difficult to spot.
These services will continue to be attractive for threat actors due to their wide availability, lack of up-front investment, the preserved anonymity, and can even be created with automated scripts. It would be prudent to check exactly what services are being used here. Defenders, however, cannot always block these cloud services. This is because it causes issues and the crux of this problem is that these services are used for legitimate reasons.