Some well-resourced attack groups have recently been seen taking advantage of common cloud services and platforms as part of their operations, both for initial access and for data exfiltration and storage.
Researchers at Fox-IT, part of NCC Group, have been tracking an attack group for the last couple years that has targeted companies in the semiconductor and aviation industries through a number of different techniques. The group is almost entirely focused on intellectual property theft and has spent as long as three years dwelling inside a victim’s network, patiently collecting data and gradually exfiltrating it. Known publicly as Chimera, the group seems to operate in support of the interests of the Chinese government, Fox-IT said, and typically starts its operations by collecting usernames and passwords from public credential dumps. The group uses those credentials in password-spraying and credential-stuffing attacks against cloud email services as an initial entry point.
“After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account,” a report from Fox-IT says.
“As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised.”
Once they gain access to an admin account, the Chimera attackers load a Cobalt Strike beacon into memory on the machine, and the beacon then becomes the adversary’s means of remote access. The next step is lateral movement and exploration of the network, which is business as usual for most groups of this kind. During that process, the attackers install more Cobalt Strike beacons as needed and identify information of interest for collection and exfiltration. For smaller pieces of data, the attackers use the Cobalt Strike C2 channel, but for larger dumps they compress it and exfiltrate it to a Microsoft OneDrive account.
Enterprises have been moving their apps and infrastructure to the cloud en masse in recent years, and the advantages of those services and platforms have not been lost on attackers, either.
“We are seeing more APT actors and cybercrime groups doing the same because the IT industry is making that move. My gut feeling is it’s following the industry. The cloud offers some new opportunities for attackers. Cloud infrastructure is the same for all organizations, so if you’re attacking Office 365, it’s a standardized method with tools standardization across the landscape. Sometimes it lets you be more stealthy because the level of visibility and awareness organizations have in cloud environments is not as much as on premises,” said Christo Butcher, global lead for threat intelligence at Fox-IT said.
“We believe they are still active but we don’t know what they’re working on now."
Among the victims that Chimera has targeted are a semiconductor company in Europe as well as some airlines. The techniques and tactics in the intrusions are similar, and the group has a custom piece of malware that it uses to exfiltrate stolen data to one of several cloud storage services, including OneDrive, Dropbox, and Google Drive. The malware also is designed to stay hidden on various servers for months or years at a time inside a victim network and identify sensitive data.
“Its sits on servers that have good information to keep an eye on things and carves data out of memory, does DLL sideloading, and uses legitimate processes to hide,” Butcher said. “These are the signs of someone who wants to sit there quietly and exfiltrate data for as long as possible.”
Chimera is not the only adversary targeting cloud platforms and services, and earlier this week the Cybersecurity Infrastructure and Security Agency (CISA) warned of a rash of recent attacks on enterprise cloud services. Those attacks, which CISA has helped investigate, have involved similar tactics and techniques to the Chimera operations, including password spraying, phishing, and brute-force attempts.
“The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service,” the CISA advisory says.
In some instances, the Chimera group was able to bypass MFA protection on some accounts by registering an additional mobile phone on the account to receive the SMS messages with one-time passwords. Other attack groups have used this method, and the CISA advisory said that attackers are using other techniques to access accounts protected by MFA.
“CISA verified that the threat actors successfully signed into one user’s account with proper multi-factor authentication (MFA). In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack,” CISA said.
Fox-IT”s Butcher said the Chimera group seems to work on long-term assignments, gathering information over an extended period of time.
“We believe they are still active but we don’t know what they’re working on now,” he said.