One of the advantages of exploiting a cloud service to host the attack infrastructure, is that the threat actors can use either a legitimate compromised account or create a new one specifically for their malicious purposes.
According to researchers at Microsoft, this modus operandi has been used by APT33 (also known as “Peach Sandstorm”), a threat actor believed to operate on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) in their latest campaign, tracked between April and July 2024 and targeting organizations in the education, satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates.
This campaign is characterized by a really interesting attack chain: the threat actors used LinkedIn to gather intelligence on their targets. From there they launched password-spraying attacks to break into their victims’ accounts and deploy a new custom multi-stage backdoor, named Tickler. Finally they leverage compromised user accounts exclusively in the educational sector to procure the operational infrastructure, that is fraudulent, attacker-controlled Azure subscriptions used as the command-and-control (C2) for the Tickler backdoor.
Interestingly, this is not the only example of an Iranian group leveraging Azure for command and control: back in February, researchers from Mandiant exposed UNC1549, another threat actor with ties to the IRGC, targeting aerospace, aviation, and defense industries in the Middle East countries, and leveraging a network of more than 125 Azure command-and-control (C2) subdomains.
Both of these campaigns explain why this trend is becoming increasingly common. Instead of setting up an attack infrastructure with all the related risks of operational mistakes, threat actors can use compromised accounts or spin up their own tenants as needed for their malicious operations. Moreover they can count on a scalable and resilient infrastructure, with the additional advantages that their potential victims trust these applications, and cloud service providers recommend to bypass their traffic (meaning that it’s impossible to detect anomalies or malicious patterns directed to a legitimate service that is bypassed).
Como a Netskope reduz o risco de serviços legítimos de nuvem explorados para uma infraestrutura de comando e controle
Microsoft Azure is one of the thousands of cloud services where the Netskope Next Gen SWG can provide adaptive access control, threat protection, and data loss prevention with a granularity that is impossible for any other web security technology. Microsoft Azure is also one of the hundreds of cloud applications for which instance detection is available. In case this service or a similar cloud storage app is exploited to deliver a malicious payload or to host the command and control infrastructure, it is possible to configure a policy for preventing potentially dangerous activities (such as “Upload” and “Download”) for the specific service or the entire category where it belongs (or obviously to block completely the unneeded service). The granular access control can be extended at the level of the single instance, meaning that it is possible to block potentially dangerous activities for non-corporate instances of Azure and hundreds of additional services.
Os clientes da Netskope também estão protegidos contra malware distribuído a partir da nuvem (e da Web em geral) pelo Netskope Threat Protection. O Netskope Threat Protection verifica o tráfego da Web e da nuvem para detectar ameaças conhecidas e desconhecidas com um conjunto abrangente de mecanismos, incluindo AV baseado em assinatura, detectores de aprendizado de máquina para executáveis e documentos do Office e sandboxing com proteção paciente zero. Os recursos de proteção contra ameaças podem ser aprimorados ainda mais com o Netskope Cloud Exchange, que oferece integrações avançadas para alavancar os investimentos na postura de segurança dos usuários por meio da integração com ferramentas de terceiros, como feeds de inteligência contra ameaças, proteção de terminais e tecnologias de proteção de e-mail.
The risk of internal accounts being compromised to launch attacks can be mitigated by Netskope CASB and Netskope Public Cloud Security, respectively for SaaS and IaaS components.
Finally, Netskope Advanced Analytics provides specific dashboards to assess the risk of rogue cloud instances being exploited to deliver malware, but also to provide visibility on the utilization of the corporate instances, with rich details and insights, supporting security teams in the analysis and mitigation/remediation process.
Fique seguro!