Cloud Services Are Increasingly Exploited for Command and Control in Cyber Espionage Operations

Written by

This past month has been tumultuous for cloud threats. In the latest monthly Netskope Threat Labs Report, the data confirmed that threat actors’ abuse of cloud services continued relentlessly. In February, 65% of malware was downloaded from a legitimate cloud app, in line with the average value of the past 12 months (after the peak of 80% achieved in February 2021). In terms of the most exploited services, Google Drive has declined for the fifth month in a row, reaching a 12-month low. This trend was probably driven by the additional protections that Google has recently put in place to warn users when they open potentially malicious content. That’s precisely the opposite of what happened to Microsoft OneDrive, which is steadily leading the unwelcome chart of the most exploited services, reaching a 12-month high with a 45% share. 

Even though Microsoft and Google services together account for 82% of the malware downloads across all cloud apps, they are not the only services to be exploited for malicious purposes. In fact, the distribution of malicious content is just one way threat actors can abuse a cloud service.

Consider as an example Microsoft OneDrive. Not only does it firmly hold the scepter of the most commonly abused cloud service to deliver malware, it’s also interesting to note that state-sponsored actors increasingly abuse its API to host Command and Control (C&C) infrastructures for cyber-espionage campaigns. In fact, the weaponization of legitimate cloud services for C&C is an increasingly common trend in cyber espionage campaigns, and most importantly, it is not limited to OneDrive.

More Cyber Espionage Campaigns Are Exploiting Legitimate Cloud Services for their Command and Control Infrastructure

The Russian cyber-espionage group APT28 (AKA Fancy Bear) has always been at the forefront of cloud-native threats, having been among the first advanced persistent threat (APT) groups to understand the potential of cloud services as both targets and launchpads of evasive attacks.

In a recent campaign targeting high-ranking government and defense industry officials of a West Asian nation, APT28 deployed malware, dubbed ‘Graphite’ and characterized by the utilization of Microsoft OneDrive as its command and control infrastructure via the Microsoft Graph API (nomen est omen). This highly sophisticated operation also showed another common pattern consisting of its hybrid nature: a spear-phishing email (exploiting the CVE-2021-40444 MSHTML remote code execution vulnerability) used to deliver the initial payload and a legitimate cloud service used to conceal the C&C traffic.

A C&C attack based on the OneDrive API was also used for Marlin, a backdoor deployed by the suspected Iranian threat actor OilRig in a campaign targeting multiple organizations in Israel, Tunisia and the United Arab Emirates since August 2021. Once again, the attack chain leveraged a hybrid approach using a spear-phishing email (or remote access software) to gain initial access and a legitimate cloud service to communicate secretly with the attackers.

OneDrive is Not the Only One…

Dropbox is another legitimate cloud service whose API is frequently exploited by state-sponsored actors for C&C communication. In a recent example, the alleged Palestinian APT group Molerats deployed a new malicious implant dubbed ‘NimbleMamba’ in a campaign targeting Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline. In this specific campaign, the attackers abused Dropbox for the C&C communication and to deliver the malicious payload. This double utilization pinpoints the two characteristics that make cloud services particularly compelling for malicious actors: their flexibility (including the simplicity of setup and the reduced time to launch the attack) and their ability to evade legacy security solutions by being considered trusted sources (yes, the shared responsibility model is still a hard pill to swallow). 

"Dropbox is another legitimate cloud service whose API is frequently exploited by state-sponsored actors for C&C communication"

Global State-Sponsored Actors Are Jumping on the Cloud Bandwagon

Cloud storage services are not the only ones that can be exploited for command and control. In January 2022, the North Korean group Lazarus (aka HIDDEN COBRA) launched a new campaign targeting the defense industry via a malicious document masquerading as a job opportunity from Lockheed Martin. This campaign was characterized by exploiting Windows Update to execute the malicious code and bypass the security mechanisms and by exploiting GitHub as the C&C infrastructure. Legacy technologies cannot differentiate between legitimate and malicious connections, and the attackers took immediate advantage of this.

A Cloud Service Can Also Be Used to Proxy the Real Command and Control

Using a legitimate cloud service as a proxy for the real C&C is another technique used by threat actors. In this scenario, the malicious payload installed in the victim’s endpoint retrieves the C&C coordinates from the cloud service, providing an additional resilience level to the malicious infrastructure behind it. If the real C&C is compromised or sinkholed, the attackers need to set up a new C&C and change the descriptor in the exploited cloud service without losing control of the compromised endpoints. Pastebin is a cloud service typically used for this purpose, as demonstrated by a recent campaign targeting the Indian Army via fake, malicious versions of legitimate apps used by military personnel: ARMAAN (Army Mobile Aadhaar App Network) and HAMRAAZYouTube is another service that can be used for this purpose by embedding C&C coordinates in video comments.

Detecting Malicious Traffic to Rogue Cloud Instances

These examples demonstrate the multitude of cloud services that can be exploited for C&C communication – and we only considered a few recent instances relating to cyber-espionage. Imagine then the sheer number of possibilities open to attackers when we consider that our latest Cloud and Threat Report showed that an organization with 500–2000 employees used an average of 39 distinct cloud storage apps in 2021.

One crucial step organizations can take to detect malicious traffic directed to rogue cloud instances (exploited for C&C or malware delivery) is shifting to a cloud-delivered, context-driven and data-driven security model. This enables you to enforce cloud inline analysis of managed and unmanaged cloud apps for data context, plus policing web traffic within a single-pass security service edge (SSE) architecture to enable data and threat protection defenses while maintaining a fast user experience. Organizations can ensure a selective and safe enablement of cloud apps based on a comprehensive app risk assessment with the ability to recommend safer app alternatives via real-time coaching and proceed/cancel alerts. With the advanced analytics offered by SSE, organizations can visualize and uncover app and data activity risks, threat activity, data protection violations, key security metrics and investigative details. This allows them to implement and enforce granular policy controls for data protection, including movement to and from apps, between company and personal instances, shadow IT, users, websites, devices and locations. Threat actors are making the most of cloud services for malicious purposes, so organizations should do the same for their security.

What’s hot on Infosecurity Magazine?