Cloud Threats Memo: Russian State-sponsored Threat Actors Increasingly Exploiting Legitimate Cloud Services

State-sponsored threat actors continue to exploit legitimate cloud services, and especially one group, the Russian APT29 (also known as Cozy Bear, Cloaked Ursa, BlueBravo, Midnight Blizzard, and formerly Nobelium), seems to be particularly active.

Between March and May 2023, security researchers at Recorded Future’s Insikt Group have unearthed a cyber espionage campaign by the same threat actor allegedly targeting government-sector entities in Europe with interest in Ukraine. Among the noteworthy aspects of this new operation, there is a novel malware variant dubbed GraphicalProton, acting as a loader, staged within an ISO or ZIP file and delivered to the victim to attacker-controlled compromised domains.

Confirming a consolidated modus operandi of the same threat actor, which in past campaigns abused legitimate cloud services, such as Trello, Firebase, and Dropbox, to evade detection, the new loader uses OneDrive for its command and control (C2) infrastructure, and Dropbox as an alternative channel. As the researchers point out, Russian state actors (but not only them) are increasing their efforts to conceal command-and-control network traffic via legitimate internet services and at the same time they are diversifying the number of services being misused in support of this effort. As a result, it is imperative for network defenders to be aware of the possibility for misuse of these services within their enterprise and recognize instances in which they may be used in similar efforts to exfiltrate information.

How Netskope mitigates the risk of legitimate cloud services exploited for malicious purposes

OneDrive and Dropbox are among the thousands of cloud services where the Netskope Next Gen SWG can provide granular access control, threat protection, and DLP capabilities. They are also among the hundreds of cloud services for which instance detection is available. In similar cases where these services are exploited to host a C2 infrastructure, it is possible to configure a policy that prevents potentially dangerous activities (such as “Upload” and “Download”) for these services, or for non-corporate instances only, in case the apps are in use by the organization.

Netskope customers are also protected against malware distributed from a legitimate cloud service and the web in general by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning detectors for executables and Office documents, and sandboxing, including patient zero protection.

Netskope Cloud Exchange provides powerful integration tools to leverage investments across users’ security posture through integration with third-party tools, such as threat intelligence feeds and endpoint detection technologies.

Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or the risk of becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.

Stay safe!