Cloud Security , Security Operations

Warning: Attackers Abusing Legitimate Internet Services

Hackers Are Increasingly Exploiting Google Cloud and Telegram, Researchers Warn
Warning: Attackers Abusing Legitimate Internet Services
Image: Shutterstock

Cloud services depend on trust, which is why hackers - and particularly state-sponsored attackers - love them.

See Also: OnDemand | Secure Your Applications: Learn How to Prevent AI-Generated Code Risk

Microsoft's OneDrive and Google Cloud increasingly hide malicious activities as hackers count on network defenders to classify traffic with those services as inherently legitimate. The solution, said threat intelligence firm Recorded Future, is to flag or block the unapproved use of any cloud service.

Researchers with the firm's Insikt team found mounting abuse of commercial cloud offerings perpetrated most often by advanced persistent threat groups aligned with nation-states and to a lesser extent by cybercriminals.

Insikt security researchers analyzed more than 400 current malware families and found that 25% of them - most often information-stealing malware - abuse legitimate cloud services in some capacity, and two-thirds of those abuse more than one such service.

Attackers' proclivity for "living off trusted sites" is easy to explain: It makes their attempts to exfiltrate data, remotely relay command-and-control instructions or push downloads of malicious payloads to compromised endpoints tougher to spot. Using someone else's infrastructure is also less expensive for criminals than having to hire their own "bulletproof" hosting services - and oftentimes much easier and quicker to set up.

Cloud storage platforms, and Google Cloud in particular, are the most exploited, followed by messaging services - most often Telegram, including via its API - as well as email services and social media, the researchers found. Examples of other services being abused by attackers include OneDrive, Discord, Gmail SMTP, Mastodon profiles, GitHub, bitcoin blockchain data, the project management tool Notion, malware analysis site VirusTotal, YouTube comments and even Rotten Tomatoes movie review site profiles.

"It is important to note that ransomware campaigns use legitimate cloud storage tools such as or MegaSync for exfiltration purposes as well," although the crypto-locking malware itself may not be coded to work directly with legitimate tools, the report says.

Criminals' choice of service depends on desired functionality. Anyone using an info stealer such as Vidar needs a place to store large amounts of exfiltrated data. The researchers said cloud services' easy setup for less technically sophisticated users makes them a natural fit for such use cases.

Messaging services such as Telegram and Discord also are frequently used, at least for downloading payloads. Take the WhisperGate wiper malware attributed to Russia's GRU military intelligence agency and deployed in the days and weeks leading up to the all-out invasion of Ukraine ordered by Moscow last February. In the second stage of a WhisperGate attack, malware on a victim's system downloaded the final stage of the malware, which was stored on Discord's content delivery network as a JPEG file, Recorded Future reported last year.

Criminals are also tapping messaging services. Last September, researchers reported that the widely used, pay-per-install malware service PrivateLoader had been downloading payload code as Discord attachments.

Abusing legitimate services isn't foolproof. Major providers' threat-hunting teams work overtime to detect malicious use. Researchers regularly track IP addresses being used to resolve malicious links or for data dead drops, and they share this intelligence so illicit use can be blocked.

To blunt the use of legitimate internet services by hackers - whether APT groups or criminals - Recorded Future recommends flagging or at least blocking outright the unapproved use of legitimate internet service as a short-term approach. A long-term strategy involves adding fine-grained defenses that facilitate the legitimate use of these services while blocking attempts to employ them maliciously. In particular, the researchers recommend TLS network interception tools for gaining visibility into encrypted network data, although they caution that such tools need to be backed by policies and procedures to minimize the "privacy and compliance concerns" that accompany decrypting data in transit.

The researchers also recommend regularly running simulated attacks to see if defenses are up to the task of spotting and blocking LIS abuse inside an enterprise.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.