Threat actors continue to exploit cloud services for cyber espionage, and a new campaign by a threat cluster named WIP26, discovered recently by researchers at Sentinel One in collaboration with QGroup, targeting telecommunication providers in the Middle East, confirms this trend.
In particular what makes this campaign stand out is the abuse of multiple cloud services in different stages of the kill chain in an attempt to evade detection by making malicious traffic look legitimate, making life harder for defenders. Dropbox and Microsoft Azure are exploited to host and distribute the malware payload (Microsoft Azure is also abused to exfiltrate data), whereas the command and control infrastructure relies on two additional cloud services, Microsoft 365 Mail and Google Firebase. In practice, the campaign is based exclusively on the weaponization of legitimate cloud services. Personally this is the first time I’ve seen four different cloud services exploited in the same campaign.
The initial attack vector involves the delivery of targeted WhatsApp messages containing Dropbox links to archive files that supposedly contain documents on poverty issues in the Middle East, as well as a malware loader masquerading as the PDFelement application. There are two elements in this modus operandi that are normally leveraged by threat actors: it’s easier to trick the victims by delivering the malicious links on a mobile device, and, despite all the warnings, users tend to install applications from any origin, without checking the legitimacy.
The malware loader deploys a backdoor called CMD365, which executes commands from a Microsoft 365 Mail instance using the Microsoft Graph API (a technique used in several cyber espionage campaigns) and exfiltrates data to a Microsoft Azure instance. Among the malware deployed on compromised machines, there is also an additional sample called CMDEmber, which uses Google Firebase as the command and control server.
How Netskope mitigates the risk of legitimate cloud services exploited to deliver malware
Dropbox, Microsoft Azure, Microsoft Office 365 Suite (where Microsoft 365 Mail belongs), and Google Firebase are among the thousands of services where the Netskope Next Gen SWG can provide granular access control, threat protection, and DLP capabilities. Dropbox and the Microsoft applications are also among the hundreds of services for which instance detection is available.
In those cases, where a cloud service is exploited to host the command and control, it is possible to configure a policy that prevents potentially dangerous activities (such as upload and download) for unmanaged cloud services or non-corporate instances of managed cloud services.
To defend against attacks where a legitimate cloud service is exploited to distribute malware, it is possible to configure a policy that prevents potentially dangerous activities (such as download) from non-corporate instances, or in general from any unneeded cloud storage service for the enterprise.
Netskope customers are also protected against malware distributed from a legitimate cloud service and the web in general by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning-based detectors for executables and Office documents, and sandboxing, including patient zero protection.
Netskope Cloud Exchange provides powerful integration tools to leverage investments across their security posture through integration with third-party tools, such as threat intelligence feeds and endpoint detection technologies.
Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.
You can subscribe to the Cloud Threats Memo mailing list at this link.