Cloud Threats Memo: CloudSorcerer, a Recently Discovered APT, is Exploiting Multiple Legitimate Cloud Services

A recently discovered advanced persistent threat (APT) provides a particularly meaningful example of how multiple cloud services can be combined inside the same attack chain to add layers of sophistication and evasion.

CloudSorcerer is the name that researchers at Kaspersky have coined to describe an advanced threat actor targeting Russian government entities. As the name suggests, one of the characteristics of this APT is the exploitation of multiple legitimate cloud services to host the command and control (C2) infrastructure and the drop zone for the exfiltrated data.

In particular, the C2 module of the malware connects to an apparently legitimate GitHub repository containing forks to three public projects. The devil is in the details, and it is the author section of the page that contains an encoded string. This string is retrieved and decoded by the C2 module of the malware and contains the link to the second stage C2 servers hosted on legitimate cloud services like Microsoft 365, Dropbox, and Yandex Cloud, using the platforms’ API to exfiltrate the data. In simpler terms the process of connecting to the C2 infrastructure consists of two stages, in the first stage GitHub (and mail.ru as a fallback) is used to retrieve the second stage infrastructure hosted on separate legitimate services. A cloud-native version of a well-known technique called Dead Drop Resolver.

How Netskope mitigates the risk of legitimate cloud services exploited for a command and control infrastructure

GitHub, Microsoft 365, Dropbox, and Yandex Cloud are among the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and data loss prevention with a granularity that is impossible for any other web security technology. GitHub, Microsoft 365, and Dropbox are also among the hundreds of cloud applications for which instance detection is available. So, in cases where these services or similar cloud storage apps are exploited by external attackers to deliver a malicious payload or to host the command and control infrastructure (like in case of CloudSorcerer), it is possible to configure a policy for preventing potentially dangerous activities (such as “Upload” and “Download”) from the specific service or the entire category where it belongs (or obviously to block completely the unneeded service). The granular access control can be extended at the level of the single instance for GitHub, Microsoft 365, and Dropbox.

Netskope customers are also protected against malware distributed from the cloud (and the web in general) by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning detectors for executables and Office documents, and sandboxing with patient zero protection. The threat protection capabilities can be further improved through Netskope Cloud Exchange, which provides powerful integrations to leverage investments across users’ security posture through integration with third-party tools, such as threat intelligence feeds, endpoint protection, and email protection technologies.

Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware or the risk of becoming the target of anomalous communications, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.

Stay safe!