Cyber-Attack Using Cloud Service – Attackers Get Innovative

Threat actors are conducting cyber-attacks using cloud services such as OneDrive and Google Drive to attack others sneakily.

Cloud services appear safe, and limitless, and portray themselves to be a fortified place to store all your data. True they are fantastic for storing photos, videos, software, documents, and other stuff. Many applications operate from the cloud and use it to store their customer data there. It is fast becoming the norm with many companies migrating to the cloud – partially or completely. But the clouds are not safe from attacks from cybercriminals (they are just everywhere). And now, they have found a way to use established and popular cloud services to attack the systems.

An article highlighted a significant rise in cloud-based attacks, with some cases showing almost a 55% rise in attacks between 2022 and 2023.

What are cloud services?

Cloud services facilitate a secure database environment for companies to provide their users with an infrastructure or a software service. All this happens over the internet. An example is Google Drive – a cloud-based file storage platform that allows users to store, share, and collaborate on files from multiple devices. Over 2 billion active users have signed up on Google Drive. Another cloud service giant is Microsoft’s OneDrive which shares many of the features of Google Drive. It is a free and paid service allowing you to save your documents, share and collaborate in real-time, and sync between the cloud and desktop. PCloud, Box, and Canto are a few more names used heavily by companies to manage their data across their workforce.

Cybercriminals bank on the trust of cloud service brands

Cybercriminals have started to use popular services like Google Drive, OneDrive, and Dropbox to manage their sinister activities almost like using a neighbor’s house to commit a heist. And because these services are so common, it’s tough to spot what’s fishy. But that’s not all. Cybercriminals are using the cloud to spread computer viruses, control zombie computers, and even mine cryptocurrency without anyone noticing.

These services are trusted, so it’s harder for potential victims to spot when something fishy is going on. It’s like hiding in plain sight. Hackers are finding it cheaper and easier to use these services for their attacks instead of setting up their own secret networks.

According to an article by Spacelift, 96% of companies use the public cloud.

A group of experts called the “Symantec Threat Hunter Team” has recently found several groups of hackers doing this. They have shared their discoveries at the Black Hat Conference in Las Vegas. Let’s check out the recent cloud service-based cyber attacks that have rocked some parts of the business world.

The GoGra Menace

To gain backdoor entry into systems, attackers have developed a malicious program using the Go language and have named it GoGra. This cyber-attack using cloud service was targeted against a big media company in South Asia in Nov 2024. Using the Microsoft API to access cloud services, the trojan interacts using an Outlook account named “FNU LNU” with email subject lines starting with “Input”. GoGra decrypts these commands, executes them, and later encrypts the output to send it back to the same outlook account, this time by the subject line starting with “Output”.

Symantec believes GoGra was developed by Harvester, a nation-state-backed group known for targeting South Asian organizations. This assumption is based on similarities between GoGra and another Harvester tool called Graphon. Both tools use the Microsoft Graph API for communication, although Graphon is written in .NET and has different encryption methods and command structures.

The Google Drive attack

Google Drive is another way to issue cyber attacks using a cloud service. Firefly – a cyber espionage group – recently targeted a military organization, again in Southeast Asia. They used a publicly available Google Drive client wrapped in Python script to exfiltrate sensitive data from the target system. The trojan was coded to scan the System32 directory for files with a .jpg extension. They were then uploaded to a Google Drive account using a refresh token. A refresh token grants long-term access to a user’s account, making it a preferred method for automated tools.

These jpeg files were then packaged and disguised as RAR files to avoid detection. These files were perhaps created manually or with some tool.

The exfiltrated data was a major loot of sensitive information for the attackers. It had a wide range of documents, such as meeting notes, call transcripts, building plans, email folders, and financial data. This kind of information could be misused for gathering intelligence, blackmailing organizations, or compromising future operations.

Here, we can see how the cybercriminals made smart use of Google Drive, not only for data exfiltration but also as a potential command-and-control center for further operations.

According to Virtana, 80% of organizations use more than one public or private cloud.

Grager

Another major cyber-attack using cloud service occurred in April 2024, a concealed and new backdoor known as Grager was discovered targeting firms in Taiwan, Hong Kong as well as Vietnam. This malicious software is especially cunning due to its use of legitimate applications and cloud services.

Its functioning goes like this:

The hackers had created a false website that closely resembled the well-known file archiver software, 7-Zip. This is what we call typosquatting. You could inadvertently download the “dropper” of Grager if you were not cautious enough when downloading what seems like the 7-Zip installation file. Once downloaded, it will install 7-Zip on your computer; however, there is also another hidden program called Grager which is located in an encrypted file data.dat with a malicious DLL named “epdevmgr.dll”. Thereafter, Grager uses Microsoft’s Graph API to communicate with a control server based on Microsoft’s OneDrive for Business. This enables the criminals to remotely send orders and scoop details from your devices through their malware attacks. Such details may include your username, IP address, or even details about your hard drives. Moreover, it can download and upload files as well as execute commands within your system. Security analysts suspect that UNC5330, potentially linked to China, might be responsible for this attack. In similar incidents in the past, this group has been observed using similar tactics.

MoonTag: A Work-in-Progress Backdoor

Moontag is another cloud-service-based cyber attack on the horizon that hackers are still developing but the beta versions have been showing some dangerous potential. Cybersecurity experts have found several versions of this backdoor, albeit unfinished ones, and they have concluded the below findings:

Building Blocks:

MoonTag seems to be based on code that was publicly shared online. This means the hackers didn’t start from scratch, making it easier for them to build their malicious software.

Cloud Connection:

Like other recent threats, MoonTag is designed to communicate with a remote control server using Microsoft’s Graph API. This lets hackers control the infected computer from afar.

Possible Link to Sabre Panda:

While there’s no concrete evidence yet, MoonTag shares some similarities with malware used by a hacking group called Sabre Panda. This suggests a potential connection, but more investigation is needed.

Chinese Connection:

The hackers behind MoonTag likely speak Chinese. This is based on the language used in the online code they borrowed and other clues in their operations.

While MoonTag is still under construction, it’s important to stay informed about this evolving threat. Hackers are constantly refining their tactics, and it’s crucial to be prepared for what comes next.

The Allure of the Cloud for Cybercriminals

Trusted cloud services provide credible platforms for malicious activities, where attackers can easily bypass traditional security measures designed to detect suspicious traffic. Cloud services offer virtually unlimited storage and computing resources, enabling attackers to store massive amounts of stolen data and process it efficiently. Add to it the ease of access that makes it convenient to share files and collaborate seamlessly for distributing malware, phishing links, and stolen data. As compared to maintaining their own infrastructure, using cloud services can be significantly cheaper for cybercriminals.

How to Be Safe from Cloud-Based Cyber Attacks

The cloud has changed the way of working and living today. This very frontier in technology also opens up a host of challenges related to cybersecurity. Following are some steps that can help you and your organization to safeguard against cloud-based cyber attacks:

Educate Your Staff

It is imperative for any company connected to the cloud to train their working staff on the cyber threats from cloud-based services. They can be trained to identify malware apart from an actual file. There should be download protocols and firewalls in place. And most importantly, the training on safe cloud service practices should be regular. Such regular training would enable employees to identify phishing attempts, weak passwords, and other common threats.

Establish Good Security Practices

It goes without saying that passwords should be strong and complex and should be fortified with multi-factor authentication. Using the latest (and licensed) operating system also helps to install updated security patches. Practice regular data backups so that in case a data hack occurs, you have the latest copy of it.

There have been cases where access has been compromised due to not having enough security layers in place. When such a thing occurs, a response strategy ought to be formed which is effective enough.

Utilize the Available Features of Cloud Security

Cloud services come with their own sets of security protocols to be followed. If you follow them, you can proactively keep yourself and your organization safe from attacks. Follow practices and standards set for industries by the Cloud Security Alliance. You need to monitor and control cloud usage with a CASB and place DLP solutions in place to identify and prevent sensitive data exfiltration events.

Keep Current with Threats

Finally, be current on the latest cyber threats and attack vectors. Conduct audits by periodically reviewing your cloud security posture with vulnerability assessments and penetration testing.

Conclusion:

Cybersecurity is a process. It’s paramount to adapt security processes based on the evolution of threats. Following the guidelines above, you can lessen the risk of the occurrence of cloud-based cyber-attacks.

Tags: Cybersecurity

CyberTech Staff Writer

CyberTech Staff Writer is a seasoned cybersecurity expert and analyst with a deep passion for safeguarding digital landscapes. With 20+ years of experience in the IT security and networking industry, they have honed their skills in identifying, assessing, and reporting cyber threats and best practices to salvage enterprises from disasters. Their expertise spans a wide range of areas, including cloud security, application security, ransomware assessment, threat intelligence, incident response, ZTNA and more. As a thought leader in the cybersecurity community, CyberTech Staff Writer is dedicated to sharing knowledge and insights to help organizations build robust defenses against evolving cyber threats.