Cloud Threats Memo: Iranian Threat Actors Continue to Exploit Azure

One of the advantages of exploiting a cloud service to host the attack infrastructure, is that the threat actors can use either a legitimate compromised account or create a new one specifically for their malicious purposes. 

According to researchers at Microsoft, this modus operandi has been used by APT33 (also known as “Peach Sandstorm”), a threat actor believed to operate on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) in their latest campaign, tracked between April and July 2024 and targeting organizations in the education, satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates.

This campaign is characterized by a really interesting attack chain: the threat actors used LinkedIn to gather intelligence on their targets. From there they launched password-spraying attacks to break into their victims’ accounts and deploy a new custom multi-stage backdoor, named Tickler. Finally they leverage compromised user accounts exclusively in the educational sector to procure the operational infrastructure, that is fraudulent, attacker-controlled Azure subscriptions used as the command-and-control (C2) for the Tickler backdoor.

Interestingly, this is not the only example of an Iranian group leveraging Azure for command and control: back in February, researchers from Mandiant exposed UNC1549, another threat actor with ties to the IRGC, targeting aerospace, aviation, and defense industries in the Middle East countries, and leveraging a network of more than 125 Azure command-and-control (C2) subdomains.

Both of these campaigns explain why this trend is becoming increasingly common. Instead of setting up an attack infrastructure with all the related risks of operational mistakes, threat actors can use compromised accounts or spin up their own tenants as needed for their malicious operations. Moreover they can count on a scalable and resilient infrastructure, with the additional advantages that their potential victims trust these applications, and cloud service providers recommend to bypass their traffic (meaning that it’s impossible to detect anomalies or malicious patterns directed to a legitimate service that is bypassed).

How Netskope mitigates the risk of legitimate cloud services exploited for a command and control infrastructure

Microsoft Azure is one of the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and data loss prevention with a granularity that is impossible for any other web security technology. Microsoft Azure is also  one of the hundreds of cloud applications for which instance detection is available. In case this service or a similar cloud storage app is exploited to deliver a malicious payload or to host the command and control infrastructure, it is possible to configure a policy for preventing potentially dangerous activities (such as “Upload” and “Download”) for the specific service or the entire category where it belongs (or obviously to block completely the unneeded service). The granular access control can be extended at the level of the single instance, meaning that it is possible to block potentially dangerous activities for non-corporate instances of Azure and hundreds of additional services.

Netskope customers are also protected against malware distributed from the cloud (and the web in general) by Netskope Threat Protection. Netskope Threat Protection scans web and cloud traffic to detect known and unknown threats with a comprehensive set of engines, including signature-based AV, machine learning detectors for executables and Office documents, and sandboxing with patient zero protection. The threat protection capabilities can be further improved through Netskope Cloud Exchange, which provides powerful integrations to leverage investments across users’ security posture through integration with third-party tools, such as threat intelligence feeds, endpoint protection, and email protection technologies.

The risk of internal accounts being compromised to launch attacks can be mitigated by Netskope CASB and Netskope Public Cloud Security, respectively for SaaS and IaaS components.

Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware, but also to provide visibility on the utilization of the corporate instances, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.

Stay safe!