Cloud Threats Memo: Threat Actors Increasingly Exploiting Google Drive

Google Drive continues to be one of the most abused cloud services by threat actors, and the latest edition (April 2023) of the Threat Horizons Report, released by security researchers in Google’s Threat Analysis Group (TAG), shows more interesting examples of how opportunistic and state-sponsored threat actors are exploiting its flagship cloud storage service, to conduct malicious campaigns (and by the way, Netskope Cloud and Threat Report is quoted in the report).

Among the many topics, the researchers highlight that cybercriminals and nation-state threat actors completely understand the value of compromising legitimate websites, since a familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard-coded into security systems screening for spam or malware.

In the case of state-sponsored threat actors, a noteworthy example occurred in October 2022, when researchers disrupted a campaign from HOODOO, a Chinese state-sponsored threat actor also known as APT41, targeting a Taiwanese media organization (and previously an Italian job search website). The campaign was carried out by sending phishing emails with links to a password-protected file hosted in Google Drive containing an open source red teaming tool called “Google Command and Control” (GC2), getting commands from Google Sheets to obfuscate the malicious activity, and exfiltrating data, again, to Google Drive. An interesting example of how the flexibility of Google Drive can be leveraged in different stages of the attack, and also how an ethical tool can be weaponized.

In the case of opportunistic cyber criminals, another interesting example was unearthed during Q4 2022, when researchers from Google’s Mandiant observed a campaign distributing the URSNIF banking trojan from Google Drive. Even in this case the threat actors used a phishing email to convince victims to download a password protected ZIP file hosting the malicious content which was then installed on their machine. This technique was refined later in Q4 2022 in a more sophisticated attack chain within a campaign targeting the financial services sector via the DICELOADER malware. In this latter case, the threat actors decoupled the malware executable from the first downloaded ZIP file, since the distribution mechanism involved sending phishing emails with a malicious Google Drive link that downloaded a ZIP file that contained a LNK file. The LNK file then subsequently downloaded and installed a Trojanized Zoom MSI installer, which led to the final DICELOADER infection. Once again, the flexibility of Google Drive was exploited inside a multi-stage attack chain involving also a Trojanized installer of a legitimate and well-known cloud app (Zoom).

How Netskope mitigates the risk of legitimate cloud services exploited by threat actors

Google Drive is among the thousands of services where the Netskope Next Gen SWG can provide granular access control, threat protection, and DLP capabilities and also among the hundreds of services for which instance detection is available.

When a legitimate cloud service, such as Google Drive, is exploited to host the command and control or the data exfiltration infrastructure, it is possible to configure a policy that prevents potentially dangerous activities (such as upload and download) for unmanaged cloud services or non-corporate instances of managed cloud services.

If a legitimate cloud service is exploited to distribute malware, it is possible to configure a policy that prevents potentially dangerous activities (such as download) from non-corporate instances, or in general from any unneeded cloud storage service for the enterprise.

Netskope customers are also protected against malware distributed from a legitimate cloud service and the web in general by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning-based detectors for executables and Office documents, and sandboxing, including patient zero protection.

Netskope Cloud Exchange provides powerful integration tools to leverage investments across their security posture through integration with third-party tools, such as threat intelligence feeds and endpoint detection technologies.

Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.

You can subscribe to the Cloud Threats Memo mailing list at this link.

Stay safe!