Hackers Are Increasingly Exploiting Google Cloud and Telegram, Researchers Warn
Cloud services depend on trust, which is why hackers – and particularly state-sponsored attackers – love them.
Microsoft’s OneDrive and Google Cloud increasingly hide malicious activities as hackers count on network defenders to classify traffic with those services as inherently legitimate. The solution, said threat intelligence firm Recorded Future, is to flag or block the unapproved use of any cloud service.
Researchers with the firm’s Insikt team found mounting abuse of commercial cloud offerings perpetrated most often by advanced persistent threat groups aligned with nation-states and to a lesser extent by cybercriminals.
Insikt security researchers analyzed more than 400 current malware families and found that 25% of them – most often information-stealing malware – abuse legitimate cloud services in some capacity, and two-thirds of those abuse more than one such service.
Attackers’ proclivity for “living off trusted sites” is easy to explain: It makes their attempts to exfiltrate data, remotely relay command-and-control instructions or push downloads of malicious payloads to compromised endpoints tougher to spot. Using someone else’s infrastructure is also less expensive for criminals than having to hire their own “bulletproof” hosting services – and oftentimes much easier and quicker to set up.
Cloud storage platforms, and Google Cloud in particular, are the most exploited, followed by messaging services – most often Telegram, including via its API – as well as email services and social media, the researchers found. Examples of other services being abused by attackers include OneDrive, Discord, Gmail SMTP, Mastodon profiles, GitHub, bitcoin blockchain data, the project management tool Notion, malware analysis site VirusTotal, YouTube comments and even Rotten Tomatoes movie review site profiles.
“It is important to note that ransomware campaigns use legitimate cloud storage tools such as mega.io or MegaSync for exfiltration purposes as well,” although the crypto-locking malware itself may not be coded to work directly with legitimate tools, the report says.
Criminals’ choice of service depends on desired functionality. Anyone using an info stealer such as Vidar needs a place to store large amounts of exfiltrated data. The researchers said cloud services’ easy setup for less technically sophisticated users makes them a natural fit for such use cases.
Messaging services such as Telegram and Discord also are frequently used, at least for downloading payloads. Take the WhisperGate wiper malware attributed to Russia’s GRU military intelligence agency and deployed in the days and weeks leading up to the all-out invasion of Ukraine ordered by Moscow last February. In the second stage of a WhisperGate attack, malware on a victim’s system downloaded the final stage of the malware, which was stored on Discord’s content delivery network as a JPEG file, Recorded Future reported last year.
Criminals are also tapping messaging services. Last September, researchers reported that the widely used, pay-per-install malware service PrivateLoader had been downloading payload code as Discord attachments.
Abusing legitimate services isn’t foolproof. Major providers’ threat-hunting teams work overtime to detect malicious use. Researchers regularly track IP addresses being used to resolve malicious links or for data dead drops, and they share this intelligence so illicit use can be blocked.
To blunt the use of legitimate internet services by hackers – whether APT groups or criminals – Recorded Future recommends flagging or at least blocking outright the unapproved use of legitimate internet service as a short-term approach. A long-term strategy involves adding fine-grained defenses that facilitate the legitimate use of these services while blocking attempts to employ them maliciously. In particular, the researchers recommend TLS network interception tools for gaining visibility into encrypted network data, although they caution that such tools need to be backed by policies and procedures to minimize the “privacy and compliance concerns” that accompany decrypting data in transit.
The researchers also recommend regularly running simulated attacks to see if defenses are up to the task of spotting and blocking LIS abuse inside an enterprise.