According to research from Netskope Threat Labs, more than half of all HTTP/HTTPS malware downloads continue to originate from popular cloud apps, with Microsoft OneDrive firmly holding on to the title of most exploited app for delivering malicious content. But while distributing malware and phishing pages may be the most common way legitimate cloud services are abused, it is far from the only one.
If we just take Microsoft OneDrive as an example – not only is it the most exploited cloud app to deliver malware, it is also increasingly abused by state-sponsored threat actors to host command and control (C2) infrastructure. This can be clearly seen in recent global conflicts, with Russian threat actors launching multiple campaigns over the course of this year, the majority of which, unsurprisingly, have been focused on targets in Ukraine.
The Domination of APT29
A key threat actor you may have heard of with a reputation for exploiting legitimate cloud services to enable C2 infrastructure is APT29 (also known as Cozy Bear, Cloaked Ursa, BlueBravo, Midnight Blizzard, and formerly Nobelium). A threat group attributed to Russia's Foreign Intelligence Service (SVR), and widely considered the group behind the massive supply-chain SolarWinds compromise, this threat actor is also particularly active in launching malicious campaigns against Ukraine or any European governments with an interest in the country.
These campaigns share the common denominator of exploiting Microsoft OneDrive and Dropbox for their command and control infrastructure. These two popular services are not chosen at random. There are basic advantages that a legitimate cloud service offers to the attackers – simplicity and flexibility in setting up the infrastructure used to launch the attack, as well as already established trust from users and organizations which allows them to hide the malicious traffic and evade traditional network security defenses.
They also provide a flexible set of APIs that simplify and automate the hostile activity, such as the retrieval of new commands by the malicious payload deployed in the endpoint. Ironically, these benefits favored by attackers are the same ones businesses use to evaluate which cloud service provider to deploy.
One such operation, unearthed in July 2023 but active since mid-April 2023, targeted 22 foreign embassies in Kyiv by using a legitimate BMW advertisement from a diplomat within the Polish Ministry of Foreign Affairs to deliver a malicious payload. The attackers leveraged the fact that a luxury car is clearly hard to find in a warzone, and a diplomat is certainly a trusted source. This campaign leveraged both the Microsoft Graph API and the Dropbox API for C2 communication was not an isolated episode.
A few days later, another campaign that took place between March and May 2023 targeting government entities in Europe with interest in Ukraine was uncovered – launched by the same threat actor, presenting similar characteristics. The central element of this latter campaign was a new malware variant dubbed GraphicalProton – once again by exploiting Microsoft OneDrive and Dropbox for C2 infrastructure.
If the name GraphicalProton sounds familiar, that’s because GRAPH refers to the Microsoft GRAPH API used for C2 communication, and is the evolution of GraphicalNeutrino, another malware variant developed by the same threat group, discovered in January 2023. This abuses the Notion business automation service as its C2 infrastructure, and was deployed against any embassy staff with interest in Ukraine in October 2022.
The Rise of New Frameworks
In a separate cluster of activities that used the same ‘flavor’ of attacks, an APT group also linked to the Russo-Ukrainian conflict developed a malware framework dubbed CommonMagic to target government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions since at least September 2021. Discovered in March 2023, this malware implant is characterized again by the exploitation of Microsoft OneDrive and Dropbox for its C2 infrastructure.
The same mysterious threat actor, allegedly operating out of Ukraine, unleashed an additional cluster of even more sophisticated malicious activities leveraging a newer malware framework dubbed CloudWizard. Discovered in May 2023, CloudWizard was deployed to target a broader set of victims across the country and featured an evolution to its predecessor by exploiting Google Drive, yet another well-known cloud service, as an additional C2 server, as well as the two usual suspects Microsoft OneDrive and Dropbox.
These cloud services are clearly a cornerstone of state-sponsored threat actors today. While the cyber threat from cloud applications has historically been due to opportunistic cyber-criminals, the rise of sophisticated state-sponsored groups taking advantage of the proliferation of these services, and their prominence in the Russo-Ukrainian cyber conflict, should serve as a wake-up call for users to be vigilant in their day-to-day digital interactions.
Staying Protected
Today, an average of 1558 distinct cloud apps are used each month by a typical organization with 500-2000 users, 79% of which regularly upload, create, share, or store data in cloud apps. Unfortunately, legacy security solutions were not built for an internet dominated by the cloud to this extent. In this new threat landscape, organizations must adopt a new security posture to address this. The key pillars of protecting against the exploitation of cloud applications should include:
- Educate: On average, 15% of users upload data to personal apps and personal instances of corporate apps. Clearly, users must be educated as to what constitutes responsible use of corporate and personal cloud applications.
- Inspect: All HTTP and HTTPS downloads must be inspected with the same security efficacy, including all web and cloud traffic, both to identify and contain command and control connections, but also to prevent malware from infiltrating the network regardless of whether the attack is launched from a traditional domain or a legitimate trusted cloud service.
- Configure: Policies must be enforced to block connections to cloud apps or cloud app instances that are not used in the organization, to reduce the risk surface to only those apps and instances that are necessary for the business.
- Align: Ensure that all security defenses share intelligence and work together to streamline security operations.
Only by understanding the full threat of cloud services and their capacity to be used in the affairs of global, state-sponsored threat actors, can organizations ensure they are protected against the proliferation of seemingly innocent applications that do genuinely add value to a business.