Russian adversaries are taking advantage of trusted cloud services, including DropBox and Google Drive to deliver malware to businesses and governments, according to new research.
Cloaked Ursula – AKA the Russian government-linked APT29 or Cozy Bear – is increasingly using popular online storage services because it makes attacks difficult to detect and prevent, researchers at Palo Alto Networks Unit 42 wrote in a report.
Believed to have targeted several Western diplomatic missions and foreign embassies between May and June 2022, the recent campaigns were masked as an agenda for an upcoming meeting with an ambassador. But the phishing documents contained a link to a malicious HTML file that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.
Palo Alto Networks disclosed the activity to Google and DropBox, which have taken action to block it. However, the Unit 42 researchers have warned organizations and governments to be on high alert. “In light of APT 29’s new tactics, organizations should be concerned about their abilities to identify, inspect and stop unwanted traffic to legitimate cloud storage providers.”
Cozy Bear has previously used legitimate cloud services to deliver malware, but the two most recent campaigns leveraged Google Drive cloud storage services for the first time. “The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning,” the researchers said.
When the use of trusted cloud services is combined with encryption, it becomes “extremely difficult” for organizations to detect malicious activity, they warned.
The attack is “hardly surprising,” given that services such as these are used by a large number of organizations, said independent security researcher Sean Wright. “It makes it difficult to tell what is legitimate and what is potentially malicious, so from an attacker perspective, this is an incredibly powerful tool to hide their malicious content and actions.”
To help reduce risk, Wright recommends organizations choose a single service. In addition, Wright advised firms to ensure they use enterprise or business versions. “These often come with extra controls that can help reduce the likelihood of attacks or help gain extra visibility to hopefully catch them in action.”
Responding to the findings, a Dropbox spokesperson told Infosecurity: "We can confirm that we worked with our industry partners and the researchers on this matter, and disabled user accounts immediately. If we detect any user violating our terms of service, we take appropriate action, which may include suspending or disabling user accounts."