According to the Netskope Threat Labs Statistics, March 2024 set new record numbers in terms of exploitation of legitimate cloud services by opportunistic and state-sponsored threat actors. For the first time in 2024, more than half of all malware delivered from HTTP or HTTPS came from a legitimate cloud service, hitting a 10-month high.
In parallel, the attackers continued to diversify the number of cloud apps they abuse for malicious purposes, looking for new services to exploit besides the usual suspects like Microsoft OneDrive, Microsoft SharePoint and GitHub; and launching sophisticated campaigns that leverage multiple legitimate services throughout the attack chain.
As a consequence, 59% of malware originating from the cloud came from 235 distinct apps, the highest number on record so far.
The Recent Example of APT43
An example of how many legitimate cloud services can be combined within a sophisticated, evasive attack chain, and how they are exploited by state-sponsored groups, is a recent campaign targeting South Korean individuals working in the security sector.
APT43 is a prolific threat actor aligned with North Korea and focused on cyber espionage against governments, business services, manufacturing, education and research sectors, and think tanks dealing with geopolitical and nuclear policy. There is a marked interest for South Korea, Japan, Europe and the US.
Despite being focused on cyber espionage, the group is also engaged in cybercrime as a way to fund espionage operations.
Similarly to many targeted campaigns, APT43’s initial lure was a social engineering trap: an email invite. It allegedly came from the Korean Embassy in China, containing a request to attend a closed-door policy meeting.
The initial payload, disguised as a meeting plan document, was delivered through Google Drive and Microsoft OneDrive links embedded in the email body, in two different variants of the same campaign.
The official reason of this phishing campaign was to bypass the Great Firewall of China, but we know that hosting the malicious payload in a cloud storage service gives multiple advantages to the attackers. Not only are the operational tasks simplified, and there is virtually no limit to the number of instances that can be created, but a cloud service also provides a resilient infrastructure and a very effective way to conceal the malicious traffic inside legitimate sessions.
It’s an evasive tactic that is even more effective when the attackers use a compromised legitimate account to deliver the malicious payload. It is also useful when the targeted organization complies with the best practices of some cloud service providers, who recommend bypassing TLS inspection. It is a recommendation that makes it impossible to detect malicious payloads inside the legitimate traffic.
In the case of the campaign launched by APT43, the exploitation of legitimate services did not end up with the delivery of the initial payload. This was because another well-known legitimate service, Dropbox, was exploited to host and deliver the Babyshark malware at the end of this multi-stage campaign.
Dropbox is particularly effective because it provides a set of APIs that serve multiple purposes: delivering malware but also hosting the command and control (C2) infrastructure or the drop zone for the stolen data.
This campaign is a clear example of how multiple different legitimate services can be exploited to provide additional layers of evasion. Unfortunately, there are multiple other ways to abuse a legitimate service within either a cybercrime or a cyberespionage operation.
Iranian UNC1549 Case Study
Attackers can create an almost unlimited number of malicious instances using a legitimate cloud service. Moreover, delivery and distribution is not the only way a legitimate cloud platform can be exploited. In fact, hosting the C2 infrastructure in a legitimate service is another common scenario, as demonstrated by a campaign that’s been active since January 2022.
This campaign targets the aerospace, aviation and defense industries in the Middle East, and is carried out by the threat actor UNC1549, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).
In this case, the attackers used 125 Azure C2 subdomains to host the C2 infrastructure. The intent was to make it difficult to discern malicious activity from legitimate network traffic. The ubiquity of the Azure infrastructure provided an additional advantage to the attackers because, in some cases, the servers were geolocated in the targeted countries (Israel and the UAE), which further disguised their activity.
The attackers added an additional level of legitimacy to their campaign, using domain names that included strings that seemed legitimate to their victims. This includes countries, organization names, languages or descriptions related to the targeted sector. What’s more, a cloud service is not required to register a domain, making life much easier for the attackers, and providing additional ways to unleash their creativity.
How to Stay Protected Against Cloud Attacks
Legacy web security solutions were not built for an internet dominated by the cloud. A new security posture is needed to effectively address this threat landscape. The key pillars of protecting against the exploitation of cloud applications should include:
- Educate: The average user interacts with 20 cloud applications, so they must be educated as to what constitutes responsible use of corporate and personal cloud applications.
- Inspect: All HTTP and HTTPS downloads must be inspected with the same security efficacy, including all web and cloud traffic, to identify and contain C2 connections and also to prevent malware from infiltrating the network. This is regardless of whether the attack is launched from a traditional domain or a legitimate trusted cloud service.
- Configure: Policies must mobilize a zero trust approach and block connections to cloud apps or cloud app instances that are not used in the organization to reduce the risk surface to only those apps and instances that are necessary for the business.
- Align: Ensure that all security defences share intelligence and work together to streamline security operations.
The increasing exploitation of legitimate cloud services for malicious purposes presents a significant and evolving threat to cybersecurity. The sophisticated tactics employed by threat actors, such as APT43 and UNC1549, highlight the necessity for a robust and adaptive security posture. As cloud service exploitation continues to grow, staying vigilant and proactive in cybersecurity best practice will be essential in safeguarding critical data and infrastructure.