Retour 
One of the advantages of exploiting a cloud service to host the attack infrastructure, is that the threat actors can use either a legitimate compromised account or create a new one specifically for their malicious purposes.
According to researchers at Microsoft, this modus operandi has been used by APT33 (also known as “Peach Sandstorm”), a threat actor believed to operate on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) in their latest campaign, tracked between April and July 2024 and targeting organizations in the education, satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates.
This campaign is characterized by a really interesting attack chain: the threat actors used LinkedIn to gather intelligence on their targets. From there they launched password-spraying attacks to break into their victims’ accounts and deploy a new custom multi-stage backdoor, named Tickler. Finally they leverage compromised user accounts exclusively in the educational sector to procure the operational infrastructure, that is fraudulent, attacker-controlled Azure subscriptions used as the command-and-control (C2) for the Tickler backdoor.
Interestingly, this is not the only example of an Iranian group leveraging Azure for command and control: back in February, researchers from Mandiant exposed UNC1549, another threat actor with ties to the IRGC, targeting aerospace, aviation, and defense industries in the Middle East countries, and leveraging a network of more than 125 Azure command-and-control (C2) subdomains.
Both of these campaigns explain why this trend is becoming increasingly common. Instead of setting up an attack infrastructure with all the related risks of operational mistakes, threat actors can use compromised accounts or spin up their own tenants as needed for their malicious operations. Moreover they can count on a scalable and resilient infrastructure, with the additional advantages that their potential victims trust these applications, and cloud service providers recommend to bypass their traffic (meaning that it’s impossible to detect anomalies or malicious patterns directed to a legitimate service that is bypassed).
Comment Netskope atténue le risque que des services en nuage légitimes soient exploités pour une infrastructure de commandement et de contrôle ?
Microsoft Azure is one of the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and data loss prevention with a granularity that is impossible for any other web security technology. Microsoft Azure is also one of the hundreds of cloud applications for which instance detection is available. In case this service or a similar cloud storage app is exploited to deliver a malicious payload or to host the command and control infrastructure, it is possible to configure a policy for preventing potentially dangerous activities (such as “Upload” and “Download”) for the specific service or the entire category where it belongs (or obviously to block completely the unneeded service). The granular access control can be extended at the level of the single instance, meaning that it is possible to block potentially dangerous activities for non-corporate instances of Azure and hundreds of additional services.
Les clients de Netskope sont également protégés contre les logiciels malveillants distribués à partir du nuage (et du web en général) par Netskope Threat Protection. Netskope Threat Protection analyse le trafic web et cloud pour détecter les menaces connues et inconnues à l'aide d'un ensemble complet de moteurs, notamment l'antivirus basé sur les signatures, les détecteurs d'apprentissage automatique pour les exécutables et les documents Office, et le sandboxing avec la protection patient zéro. Les capacités de protection contre les menaces peuvent être encore améliorées grâce à Netskope Cloud Exchange, qui offre de puissantes intégrations permettant d'optimiser les investissements dans la posture de sécurité des utilisateurs grâce à l'intégration d'outils tiers, tels que les flux de renseignements sur les menaces, la protection des points d'extrémité et les technologies de protection du courrier électronique.
The risk of internal accounts being compromised to launch attacks can be mitigated by Netskope CASB and Netskope Public Cloud Security, respectively for SaaS and IaaS components.
Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware, but also to provide visibility on the utilization of the corporate instances, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.
Restez en sécurité !
Lire le blog