As threat groups eye cloud storage, email and messaging platforms to leverage in their cyberattacks, technology providers are searching for new ways to step up their defense strategies so that they’re not just scrambling to shut down this abuse, but proactively preventing it in the first place.
For many years, threat groups have been leveraging legitimate services in all aspects of their cyberattacks - for command-and-control (C2) communication, payload delivery or data exfiltration, for instance. For victims, this abuse can make cyberattacks difficult to detect. But beyond that, this tactic means reduced operational overhead and lower infrastructure costs for cybercriminals, as it makes the overall C2 server installation easier and cuts out the need for hosting or registration fees.
APT groups have spearheaded innovation efforts around this type of abuse, but less sophisticated groups are also following suit in a “trickle down effect,” said researchers with Recorded Future’s Insikt Group in a report this month.
“The lack of comparable reporting makes it challenging to quantify a definitive trend, but we will likely see an increase in LIS [legitimate internet services] abuse for adversary infrastructure given the gradual adoption of LIS abuse methods and infrastructure by well-established malware families, the prevalence of LIS abuse activity among more recent malware strains, and the rapid pace of innovation in abusing LIS by APT groups,” said researchers.
Insikt Group researchers recently examined more than 400 malware families and found that 25 percent of them abused legitimate internet services as part of their attack infrastructure, with cloud storage platforms like Google Drive being the most commonly abused platform (followed by messaging applications like Telegram, email services such as Gmail SMTP and social media platforms).
Previously, threat actors have used cloud storage platforms and other legitimate services for payload delivery (as seen in Agent Tesla campaigns using Pastebin or Guloader leveraging Google Drive) or data exfiltration (such as using publicly accessible APIs, email services or cloud storage tools).
But beyond these functions, threat actors are becoming more innovative in how they abuse legitimate components of all types, across all parts of their attack. In one incident, for instance, researchers with Mandiant observed threat actors leveraging the the serial console on Azure virtual machines - the remote tool that can be accessed via the Azure portal and is used for troubleshooting issues on Azure virtual machines - in order to gain full administrative access to VMs post-compromise.
“One key driver behind the increasing abuse of LIS for malicious infrastructure by both cybercriminals and APT groups is likely the increased maturity of organizations in detecting network traffic anomalies,” said Julian-Ferdinand Vögele, threat intelligence analyst for Recorded Future's Insikt Group. “But there are also other drivers, including reduced operational overhead, lower infrastructure costs, potentially better operational security, high uptime, minimal scrutiny, and lastly, it's worth noting that numerous organizations still do not have this threat on their radar. What actually drives the adoption depends on factors like skill level, available resources, the threat actor, the target, and various other considerations.”
In order to prevent this type of abuse, technology companies are both working to better understand how and why their services are being abused and making it more difficult for threat actors to abuse them.
Many organizations monitor their platforms for anomalous behavior that could potentially be associated with malicious campaigns. Ryan Orsi, AWS's global head of Cloud Foundational Partners for Security, said that everything stems back to patterns for user account behaviors.
“Once a legitimate use pattern emerges for a user, then higher-level patterns also emerge at the team, department, business unit, and ultimately company levels as well,” said Orsi. “Everything begins with the user identity. These legitimate usage and access patterns are based upon the user object and their legitimate identity which in turn determines access the user is granted to various IT and SaaS resources. Anomalous usage or access behavior of legitimate internet services can then be detected and surfaced for investigation or potentially immediate remediation including access removal.”
After detection, several triage measures are typically in place, and companies will usually suspend associated malicious accounts and alert impacted end users. Google’s cybercrime investigation group in 2021 announced it had made sweeping account disablements in order to disrupt malicious activity from the Glupteba botnet, for instance, terminating millions of Google Docs, as well as Google Accounts, Cloud Projects, and Google Ads accounts that were being misused as part of the botnet’s distribution. And Microsoft last year announced it had suspended 20 malicious OneDrive applications associated with an operational group based in Lebanon.
Organizations may take a number of related measures, like filing abuse reports with domain hosts, publishing indicators of compromise so that end users and security teams can have a better understanding of the malicious activity, and notifying the broader public about malicious activity. However, the level of triage comes down to the resources that a company has, said Orsi.
“It’s simply zero percent effective to detect these events if no action, either human or automation, takes place afterward,” said Orsi. “For some organizations, keeping up with responding to security events can outpace their security staffing levels depending on the company’s comfortability level with an automated response via codified runbooks.”
While these measures are effective in defending against campaigns that have already happened, threat actors are constantly updating their tactics and technology providers have been looking at ways to more proactively prevent platform abuse.
In its crackdown on Glupteba in 2021, for instance, Google also announced a lawsuit against the operators of the botnet, alleging that their operations infringed on the company’s trademarks, and violated the Computer Fraud and Abuse Act and other U.S. statutes. The hope here was to create more of a legal liability for the cybercriminals, according to Google, and in December 2022, the court not only ruled in the company’s favor, but also issued monetary sanctions against both the Russian-based defendants and their U.S.-based lawyer, meaning that they had to pay Google’s legal fees.
Microsoft has also relied on legal means, using copyright claims to obtain court orders over the years for disrupting infrastructure used by cybercriminals like APT35, Fancy Bear and a North Korean threat group.
Earlier this year, the company also partnered with Health Information Sharing and Analysis Center (Health-ISAC) and Fortra, maker of the Cobalt Strike legitimate adversary simulation tool, to obtain a court order to remove illegal, legacy copies of Cobalt Strike so that cybercriminals could no longer abuse them. Microsoft said that instead of disrupting the C2 for a malware family, it hopes that cracking down on Cobalt Strike abuse will kneecap cybercriminal operations using these tools for distribution methods.
“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” said Microsoft in a statement. “Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”
It’s important to note that these defensive measures by technology providers, while temporarily disruptive on those specific platforms, aren’t completely eliminating cybercriminal operations. Last year, for instance, Nozomi Networks researchers said they observed Glupteba resurfacing in June 2022, despite Google’s best efforts.
Still, the goal behind these disruptions is to make it harder for cybercriminals to leverage legitimate platforms, and the good news is that, while the use of legitimate platforms has various advantages for cybercriminals, it also comes with challenges.
“It's crucial to emphasize that threat actors also face significant challenges when attempting to abuse LIS, including the inherent functional limitations of these services, the theoretical feasibility of blocking them, and the proactive efforts by [legitimate internet service] providers to counter such abuse,” Vögele said.
A critical piece to defending against these types of abuses is collaboration, whether that’s with threat research teams, ISPs, CERTS or international cybercrime agencies. As part of its Glupteba disruption, for instance, Google partnered with internet infrastructure providers and hosting providers like Cloudflare to disrupt the operation, taking down services and posting warning alerts over malicious domain names.
“Bad actors have been utilizing endless variations of the ancient story of the trojan horse including re-packing malware files to disguise malicious code deployment to appear a legitimate business, operating system, and even printer driver files,” said Orsi. “Evading detection is their goal and the techniques continue to evolve which is why there exists an incredibly vibrant ecosystem of companies… that develop countermeasures.”