CyberWire Daily - Google Drive used for malware? [Research Saturday]
Episode Date: October 8, 2022Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their recent work on "Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive." The research shares the ins...ight into an active campaign from Russia’s Foreign Intelligence Service, that is leveraging the use of trusted, legitimate cloud services including Google Drive as a staging platform to deliver malware. The research states that when these tactics are used, it is extremely difficult for organizations to detect the malicious activity in connection with the campaign. These tactics are used to collect victim information, evade detection, and deliver Cobalt Strike. The research can be found here: Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts,
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
We were actually following up and along with some other activity that this group, we call them Cloaked Ursa.
They're also known as APT-29 Nobelium or Cozy Bear, depending on which nomenclature you're more familiar with.
That's Jen Miller Osborne. She's Deputy Director of Threat Intelligence with Palo Alto Network's Unit 42.
The research we're discussing today is titled Russian APT-29 Hackers Use Online Storage Services, Dropbox and Google Drive.
They're one of the more dangerous APT groups that are out there.
They have long been considered to be affiliated with the Russian government.
And they are responsible for some very long-range impact attacks,
such as SolarWinds has been attributed to them.
And even before that, the hack of the United States Democratic
National Committee in 2016 was also attributed to this group. So it's one that we pay a lot of
attention to. And this use and abuse of different cloud and social media hosting services, we've
been seeing them used quite a bit, especially the last year or two, in an effort to try to use the reputations of those services to get past potential blocks on where their malware could be hosted or pulled down from. trusted if it's coming from there and everyone uses it for so many things and it requires a
secondary component for really scanning kind of what the different potential packages could be
but we found this follow-on with Dropbox as we've been following them because they had been
very active this past year they're actually still active there's been some recent activity
attributed to them even since we were talking about it. It was more of a natural evolution, kind of, as we were following them to see them abusing
yet another cloud service. And we wanted to make sure that as when some other organizations
discovered them abusing other services, that that was highlighted because it is something
they're using to try to take advantage of those trusted reputations.
Yeah.
And I suppose just to make it crystal clear here, I mean, is it that it's difficult for an organization to block Google Drive or Dropbox or Microsoft Azure?
Any of these big cloud services because they are so broad and so vast and indeed folks rely on them for a lot of the business they do
day to day. Exactly. And that's why we're seeing these attack campaigns, especially some that are
more technical, where they can encrypt their payloads or make them look more legitimate.
So that makes it a challenge even for those services to find this malware. And to your
point, it's impossible to have as an organization,
even as a person, just trying to operate,
I think, on the internet in this day and age,
you have to access Google Drive and Dropbox and Azure.
That's just kind of,
I don't want to say the cost of doing business,
but just the reality of, you know,
this increasingly interconnected world.
Well, let's go through what you all were tracking here together.
Can you walk us through the campaigns?
Sure.
So we've been tracking a couple of campaigns as well as some other organizations.
And when we started pivoting around looking for some similar ones,
that's where we stumbled upon what we found. A few weeks after another
organization reported on them abusing Dropbox, we identified them doing another campaign.
This time, this was targeting a NATO country and Europe, and they were using what appears to be a
legitimate invitation that they found for an upcoming meeting with an ambassador in Portugal.
Interestingly, we saw them send the same attachment twice, which isn't something we see necessarily.
The one only real key that this was honestly not legitimate, obviously, was there was a typo in the email for how it would have been addressed for the actual
common parlance but we saw them still abusing and continuing to abuse Dropbox and they're
also being attentive to the malware that they're using that's being served. For the one the case
that we observed in particular the malware that was served to the victim was last modified only about two hours before the actual spear phishing message was sent to the target.
So you can see they're paying close attention and doing some level of customization and also making it difficult to detect these.
They're not letting their malware just sit out there for people to find or researchers
to potentially poke at. They're being very judicious about when it's actually available
for a victim to pull down. Yeah. I mean, talk about spear phishing indeed. That's highly
targeted, it seems. Yes. And they are known for being very highly targeted. This is kind of their
bread and butter, in particular with diplomatic missions. They have been targeting diplomatic missions since at least 2008. So they've had a lot of time to work on
their social engineering. So let's dig into some of the details here. I mean, let's say I'm someone
who they're targeting here and I'm going about my day minding my own business and I get this
email that seems to come from the
Portuguese embassy and that's something that I think I'm interested in, what happens next?
So if you opened the email with the weaponized attachment, it would install itself on your system
and then it would start to begin looking for the second stage to pull down, which would be calling out to
a Dropbox or a similar kind of cloud hosting provider. So there's that level still of removal
where the first stage malware is on a system, but now to get the second stage, there has to be a
successful interaction with the C2 server before that will then be pulled down. And we see that
quite a bit.
We're increasingly seeing that across all attackers, but we definitely see that a lot with
more espionage-motivated attackers where they try to be careful that it's not a researcher like me
that they've accidentally compromised or has somehow gotten in the way so I can get more
of their custom malware. They check to make sure that it's the victim that they wanted before serving it.
You know, because the harder it is for researchers to get a hold of custom malware,
the more difficult it is for us to signature it.
And with some of the really advanced groups we see,
especially for their second, third stage malware,
they're very, very careful about when they serve that out
because they want
it to last as long as possible. And now a message from our sponsor Zscaler, the leader in cloud
security. Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So if I get that second stage sent to me, do I need to interact with it to get it to run,
or is it all happening automatically behind the scenes?
Oh, it's all automatic at that point.
Once you open the email, they are off to the races without any help from you.
And what are they after here? missions and potentially negotiations that are going on, which is a target that we have seen them
go after consistently over the years. The interesting things that we have seen is it
looks like we saw a bit of a shift towards some Western diplomatic missions between May and June,
but when you look at the geopolitics between May and June, that also would make sense from a
prioritization and a targeting perspective where you'd expect to see an actor that is serving the
Russian government targeting areas and diplomatic missions where there's a lot of, you know,
tension or potential activity going on during those timeframes.
One of the campaigns that you all outlined here seems to be going after folks in a foreign embassy in Brazil.
It caught my eye that, I guess, on the main page of this email,
they misspelled Brazil.
That would strike me as a red flag to Brazilian citizens,
but perhaps I'm getting ahead of myself.
Nope, little things like that.
Yeah,
we just continue. And that points to that there are humans involved in this, right? And sometimes they make mistakes, but there'll be a little typo. It was the same with the other one where it was
one little thing. And that was a key to us that, oh, that doesn't look quite right. And same if
it's coming from your embassy and they're misspelling your country, or it's coming from any embassy and they're misspelling their own country. Yeah,
I think that would be worth checking into maybe before you clicked on everything.
Yeah. I mean, it's sort of a fascinating contrast, isn't it? Because on the one hand,
we can see how deliberate and careful and targeted they are, and yet something like this slips by.
Yep. And sometimes that's because
there's different people responsible for it. The people that are carrying out the technical
access components are not necessarily the people who are crafting and sending the spear phishing
messages. So there can be a gap in ability there. One of the things you highlight is a tool called Envy Scout. What exactly is going on with that?
Envy Scout is essentially a dropper for additional malicious files that they might want to install on a network.
And it can be customized to install or beacon out to install whatever the attackers want.
So it's a very lightweight, very small piece of malware.
And it's a great way for the attackers to be able to customize and potentially change out
what the actual malware is that they deliver to the network. In this case, we also saw them
using the perennial favorite of all hackers, it seems these days, which was Cobalt Strike.
And that's definitely something that's making it more difficult for defenders
because we see everyone from ransomware actors
all the way through these sophisticated nation-state attackers like Cloaked Ursa
all using that same tool, Cobalt Strike, from a defense perspective
until we can get additional malware another second
stage another third stage where it's more customized to a group this could be anyone
and it makes it very difficult for defenders to prioritize how they're going to respond to it
because getting cobalt strike beacons from your network is becoming increasingly common
and you don't have any way of telling
unless you have the additional malware.
Who is this?
Is this cloaked Ursa
where I need to pay attention immediately
because if they have Cobalt Strike
on one of my machines,
they could, within the next 10, 20 minutes,
they could own an entire domain server?
Or is this a coin miner
where, yes, I want to get to it,
but I don't need to call people in over the weekend to do it.
Yeah, that's fascinating.
Are there any other technical aspects of this report
that you think are worth pointing out
or drawing attention to that people should know about?
In particular, Cobalt Strike,
for those that are still struggling with defenses against that,
it is just, it's critical.
It's not something that organizations can kind of look at as something to be down the road. There's
too many different attackers all exploiting it for it to not be prioritized at this point, because
much as the current environment is very similar to, it's not really an if, it's a when you're
going to be compromised. When it comes to seeing cobalt strike in your environment, it's not really an if, it's a when you're going to be compromised. When it comes to seeing cobalt strike in your environment, it's not really an if, it's a when you're going to see cobalt strike.
And hopefully it will be for something that isn't incredibly serious. It won't be a group like
Cloaked Ursa, but it could be. And that's going to be a very bad day for any of those organizations.
You know, usually we talk about protections and mitigations and we'll do
that, but it strikes me that when you're dealing with an organization that is this targeted, that
is this specific in their targets, does that even apply? What are the odds that someone at any
random organization is going to find themselves in a group like this as crosshairs?
It depends on the organization. If you fit their kind of targeting and profile,
then if you haven't already, hopefully that's accurate.
And if you have, then you've already recognized how very sophisticated some of these groups are
such as this and how very quickly they can move around an environment
and you recognize that it's something you need to be protected against.
This group is another reason we really talk a lot about the zero trust concept,
as that term comes around again, becoming increasingly critical
because you have groups like this who are incredibly technical,
who will take advantage of supply chain and trusted relationships, who will take advantage of legitimate cloud hosting services
and social media platforms, and who can get away with it successfully because they are very
technically skilled. And you need to recognize that from the defense standpoint and be able to
react accordingly. And in some cases, it can be as simple as, do you need access to all of these
different applications in your corporate
environment? With a lot of the cloud services, you can argue no. But for some of the social media
ones where it's like we saw them abusing Trello, or historically LinkedIn and Facebook have also
been abused. Is that something that people need access to at work? Some of those are things that
you can kind of shut down, at least potentially from a work network, but then you also have to recognize there's others you can't, like Dropbox.
And how are you going to make an effective business protection decision knowing that you
have to allow that access into your environment? Yeah, it also seems to me that cloud services
like Dropbox or Google Drive, they're practically the poster children for shadow IT
because if you get in the way of someone trying to do their job
and they feel as if they need to access Dropbox,
they're going to find a way.
Exactly.
And that then becomes its own problem of people doing it,
that you aren't aware of it. And that just opens up all sorts of issues, a company that can do that kind of service for you to give you an idea of what an organization's, your actual organizational footprint looks like online.
What ports are potentially open? What isn't passed? What things like that do we discover
that are tied to your organization that aren't officially tied to your organization?
are tied to your organization that aren't officially tied to your organization or you know that dial-up modem that someone used 15 years ago that no one ever turned off that's tied to a
printer that's still you know connected into the production network little things like that and
those are the same things that attackers are looking for when they're looking at an organization
and people need to increasingly move to viewing themselves
from that same global viewpoint of what do I look like as a potential victim? What do I look like
as a target from someone who can only view what they can find on the internet about me?
And then use that to make informed decisions. Every time I've been involved,
organizations have invariably found a non-trivial number of devices that they didn't realize were still operational or were still connected to their network because device and network management is a challenge.
And the older and larger an organization you are, the more of a challenge that is.
Any other recommendations here in terms of protecting yourself or mitigating this sort of thing?
The only other thing I would add, and it's not necessarily related to this,
it's related to some of the things that we've seen recently in the press,
is smishing and two-factor authentication are becoming increasingly critical
as we see attackers working to defeat them,
and not sophisticated threat attackers like teenagers looking to defeat them.
So organizations need to have
an effective policy. A, they need a multi-factor authentication in place, period. And then they
might need to look at some other policies for how they handle if someone is spammed with requests
to constantly try to authenticate. Does that trigger a behavioral rule where maybe it temporarily
locks out an account, maybe it flags it, things like that to address what we're already seeing with attackers trying to get around some of
the mitigations that we've put in place.
Our thanks to Jen Miller Osborne from Palo Alto Networks for joining us.
The research is titled Russian APT-29 Hackers Use Online Storage Services, Dropbox and Google Drive.
We'll have a link in the show notes.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Rachel Gelfand, Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Thanks for listening.
We'll see you back here next week.