Intelligence & Analysis Report: Cloud-Based Attack Tactics

The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are linked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications or deliver content or a service such as streaming videos, web email, office productivity software or social media.” – Microsoft Azure

Cloud services are increasingly being leveraged by cybercriminals and advanced persistent threat groups in attack campaigns. These cloud services include consumer accounts for OneDrive, Google Drive, DropBox, compromised SharePoint and GSuite accounts, as well as the Discord CDN. These are leveraged to host malicious files, phishing pages, redirector links, and other parts of attack campaigns. These services are often used for business operations and are regarded as safe by default by most detection systems. Any threat actor can leverage these services for free or could compromise user accounts.

The most common types of cybercrime leveraging the cloud includes phishing for malware deployment and credential harvesting. Phishing emails often appear as “Shared File” notifications (examples further down). The user will receive a link to a OneDrive or Google Drive file store that often contains a malicious macro-enabled Office document. If opened and the macros are enabled, additional malicious payloads are downloaded. These same “Shared File” notifications (and others like it) may also ask you to enter credentials to a fake Office 365 login page to access it, compromising the user account. The goal here is to establish a foothold in a target organisation. This can either be sold on underground forums or used for further post-exploitative activities such as business email compromise (BEC), ransomware, or intellectual property theft.

Case Study 1: Cloud for Credential Harvesting

Online forms created with cloud services are one of the common types of credential harvesting phishing tools. The attackers can create forms for free, that are intended for surveys, to collect email addresses and passwords from their targets. This is a fairly simple attack but what makes it difficult to defend against is that the services are trusted and run on the systems used for business operations. 

Figure 1. AT&T credential harvesting phishing forms using Google Forms. (source)

Figure 2. Office 365, OneDrive, Outlook credential harvesting via Typeforms. (source)

Figure 3. Graphic design tool, Canva, used to host phishing links. (source)

Case Study 2: Abusing the Discord Content Delivery Network for malware

In July 2020, Cyjax researchers observed a recent malicious spam campaign pushing commodity malware such as the AgentTesla infostealer and AveMaria remote access Trojan (RAT). This campaign was notable due to its reliance on Discord, the instant messaging and VoIP application, to host its payloads. The attackers use ‘cdn.discord.com’ to store the files: in simple terms, this is where Discord hosts images and other files. Because Discord does not moderate the content hosted on the platform, it has become an ideal tool for malspam campaigns. (source)

Case Study 3: TA505 abusing the Cloud

An organised cybercriminal group, tracked as TA505, has launched multiple attack campaigns using “Shared File” notifications. Firstly, the threat actors send a phishing email, usually with a compromised account, that masquerades as a shared file notification. The email contains a link to a cloud file storage, typically containing a macro-enabled Office document. MSTIC closely tracks TA505 and stated that “these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.”

Figure 4. Fake “Shared File” notifications in TA505 phishing lures. (source)

Case Study 4: Abuse of FireFox Send

ZDNet reported that Mozilla Firefox had abruptly suspended its cloud file sharing service called Firefox Send. This came after numerous reports of it being leveraged in malware campaigns as a powerful distribution method. All files uploaded and shared through Firefox Send are stored in an encrypted format, and users can configure the amount of time the file is saved on the server and the number of downloads before the file expires. Firefox Send has been used to store payloads for all sorts of cybercrime operations, such as those linked to FIN7, REVil (Sodinokibi), Ursnif (Dreambot), and Zloader. These are just some of the few malware gangs and strains that have been seen leveraging the service. (source)

Figure 5. Firefox Send leveraged for malware campaigns. (source)

Case Study 5: Using Cloud for Command and Control servers

In August 2020, cybercrime investigators, Group-IB, uncovered an industrial espionage campaign linked to a Russian APT that specialises in infiltrating foreign enterprises to steal confidential corporate documents. The group, known as RedCurl, launched 26 attacks against 14 firms without being detected. This was largely due to the use of custom hacking tools and copying the TTPs of professional penetration testers. For this campaign the RedCurl APT relied heavily on cloud services. Rather than have endpoints it had infected connect directly to command-and-control servers, the attackers routed communications via legitimate cloud-storage services – such as cloudme.com, koofr.net, pcloud.com, idata.uz, drivehq.com, driveonweb.de, opendrive.com, powerfolder.com, docs.live.net, syncwerk.cloud, cloud.woelkli.com and framagenda.org. These were used to store RedCurl’s macro-enabled Office documents. It also used the MultiCloud platform for managing and accessing storage space from the various services. (source)

Case Study 6: North Korean state-sponsored attack campaign using Google Drive

South Korean cyber defence firm, EST Security, reported that the North Korean threat group known as Thallium (also known as Kimsuky or Smokescreen) has launched multiple new campaigns on the Korean peninsula and across the Asia Pacific region. The North Korean threat actors used tailored spear-phishing emails with Google Drive links. Inside the Google Drive links are malicious DOC and HWP document files that contain embedded macros. Thallium’s most recent phishing lures masquerade as research papers on Kaesong Industrial Complex workers as well as decoy submissions for research papers in Asia Pacific countries. (source)

ANALYSIS: 

Free cloud file storage platforms are increasingly being adopted by cybercriminals. This is largely due to their wide availability and the lack of up-front investment that is required, as well as the fact that these platforms preserve the anonymity of their users and can be set up in very little time. The use of cloud services provide difficulties for automated detection systems. They are also difficult for human SOC analysts as traffic coming to and from these services appear legitimate. Compromised or threat actor-created cloud services also typically require human analysts to submit takedown requests. This requires security expertise and it takes time, something that many organisations lack.

MITIGATION: 

One way defenders can protect against cloud-based attacks is via checking for things like Discord CDN, Google Forms, or other cloud services that are not used for business operations. It may be prudent to check exactly what services are being used here. Defenders, however, cannot always block these cloud services. This is because it causes issues as the crux of this problem is that these services are used for legitimate reasons. They are allowed by default and therefore, pass through secure email gateways (SEG) undetected.

References:

https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse
https://blog.alyac.co.kr/3228
https://www.bankinfosecurity.com/redcurl-cyber-espionage-gang-targets-corporate-secrets-a-14819
https://www.group-ib.com/resources/threat-research/red-curl.html