CyberWire Daily - The double-edged sword of cyber espionage. [Research Saturday]
Episode Date: May 11, 2024Dick O'Brien from Symantec Threat Hunter team is discussing their research on “Graph: Growing number of threats leveraging Microsoft API.” The team observed an increasing number of threats that h...ave begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The research states "the technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes." The research can be found here: Graph: Growing number of threats leveraging Microsoft API Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We discovered a previously unknown piece of malware, which we have called Birdie Client,
because we think the attackers themselves call it Birdie Client.
And it initially got our attention because it was submitted from Ukraine,
which is always interesting given what's going on there at the moment.
That's Dick O'Brien, a principal intelligence analyst with Symantec's Threat Hunter team.
The research we're discussing today is titled Graph, Growing Number of Threats Leveraging Microsoft API.
And then on analysis, we've discovered that its functionality included the ability to use the Microsoft Graph API
to communicate with a command and control server
that was hosted on a Microsoft OneDrive account.
And we thought that was notable
because it is the latest in a growing number of threats
that seem to leverage the Graph API,
in particular in relation to command and control communications.
It has been happening for a couple of years now,
but the number of actors who seem to be capitalizing on it is growing.
Well, before we dig into some of the history here,
can you give us a little rundown of
what exactly the Graph API is designed to do? Okay, yeah, it's very simple. It is meant to be there
to allow application developers to have an easy way to access resources that are hosted on Microsoft Cloud Services,
such as Microsoft 365
and all of that kind of thing.
And it means that you can
effectively log in using an OAuth access token
and grab information from there
and integrate it into whatever you are developing yourself.
So that could be emails, calendar events, files that are hosted on OneDrive, for example.
So if you wanted to create a dashboard with lots of information, including information drawn from
Microsoft accounts, Graph API would help
you do that really quickly. So that's a legitimate use case. But attackers have discovered that
they can use it for their own purposes and they can have their command and control infrastructure
hosted on a Microsoft service like OneDrive and then use Graph API to communicate with it.
Well, the research that you all have published
points out kind of a long history of folks using this.
Can we go through some of that together?
Yeah, I mean, we've gone back to the start
and highlighted the notable instances.
There are more, so it's not an exhaustive list.
So the first group to do so was a North Korean-linked espionage group
that we call the Dahlia.
Other vendors call them APT37.
And as is common with a lot of these espionage groups,
they tend to keep an eye on what they're doing.
And if they see somebody implementing an interesting attack technique,
they tend to try it out for themselves.
So subsequently, in October 2021, we saw a state-backed group called Harvester going after organizations in Asia using a tool called backdoor.graphon.
And it implemented nearly exactly the same technique. But where it really came to public attention was early January 2022.
A malware family that was christened Graphite was discovered.
And it was linked to the Russian espionage group that we call Swallowtail
and other vendors variously called APT28 or FancyBear.
They began leveraging this technique to connect to a OneDrive-hosted
Amanda Control server.
And I think that really put the technique into the spotlight
and things started to snowball after that
because Russian espionage groups,
in particular, the group that we call
Fraternary or APT29, as the vendors call them,
are really the masters
in knowing their way
around Microsoft systems
and exploiting them, particularly their cloud systems.
So they really know how they work.
They have a deep understanding of these systems.
And indeed, they've managed to breach Microsoft themselves on occasion.
So if Russian espionage is using this as a technique, breached Microsoft themselves on occasion.
So if Russian espionage is using this as a technique,
that definitely got a lot of people's attention.
So then as time goes on, we saw various other groups,
including the FLE group, who are also known as APT15, they're a Chinese group.
They began leveraging the technique
in a campaign
that was directed against
foreign affairs ministries in
the Americas.
And
what they did was they got an
older piece of malware
called Ketracan
and they just bolt altered on this functionality.
They decided, oh, this is something they wanted.
So they implemented that as their command and control technique.
So in the past 12 months or so,
there have been multiple attacks involving this technique,
some of which are linked to known groups, many of which have been publicly reported.
So what we have discovered is just the latest in a long line of threats that have leveraged this technique.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with
Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And what is it about the functionality of this API
that allows these folks to do the things they want to do and simultaneously evade detection?
Very simply, I guess if you are behind anything but the most basic form of attack, communication back and forth with the compromised network is a key component.
You want to issue commands to the tools that you have installed on your target network,
and you want to exfiltrate data back from the targeted network. But unfortunately, that traffic
is one of the things that can trip you up, that can raise red flags in your victim.
So what is maybe less likely to raise suspicion,
and I suspect this is one of the chief motivations for attackers,
is communications with a known entity.
So somebody using a Microsoft API
to interact with Microsoft Cloud Services,
that kind of seems an awful lot more run-of-the-mill
than anomalous traffic between your network
and some unknown server.
And then for attackers,
it's a cheap source of infrastructure.
You can get something like a OneDrive account for yourself for nothing.
So not only is it inconspicuous, but it's also cheap and convenient.
And things like Microsoft Cloud Services, they have pretty good security around them.
around them.
So there's less likelihood that somebody you don't want
to snoop on your own infrastructure.
So there's a lot of selling points
for attackers.
Yeah.
What are your recommendations then
for folks to best protect themselves here?
I think it's time for...
I know this is a concern for organizations
because we do talk to a lot of our customers
about stuff we're working on or researching.
And this was a topic that seemed to really resonate with them.
And a lot of them came back and said,
this is something we're really worried about at the moment.
And it's not just things like OneDrive.
They also mentioned other popular cloud services.
So I think it's time for organizations
to start looking at the cloud accounts
that people are using.
And they, I think, probably need to start
really locking it down to tenants and accounts that belong to the
enterprise. So it's not at all
uncommon to hear about people
saving stuff to their cloud account from their work
computer. But that kind of thing I think needs to probably
be severely limited, because
if you are allowing that, it means that traffic to attacker-controlled accounts is maybe less
likely to be noticed. And I guess there's lots of graph logging tools, you know,
so it may be time to start more proactively monitoring connections
for the graph API and checking them.
Do you have any sense for how Microsoft has approached this?
I mean, to what degree are they saying,
well, the API is working as designed,
and so we're good here, right?
Yeah, I mean, obviously,
it's probably more of a question for Microsoft,
but the difficulty for them is that
the attackers are not necessarily breaching their services.
They're using them as intended,
although I'm pretty sure the terms and conditions
will specify that you should not use your Microsoft account
for purposes like these.
But they are signing up like legit users
and to all intents and purposes,
they're acting like that.
purposes they're acting like that, you know.
So I'm fairly sure that Microsoft are aware of
attackers using this technique
and using their services. I guess
if I was somebody like Microsoft, I'd be working hard
to try and profile
the malicious users
and try and block them more quickly, you know,
because there probably is a very distinct pattern of usage.
When an organization discovers that they have fallen victim to this,
how does it usually reveal itself?
You usually find it in the malware.
It's the malware itself.
That is usually the starting point.
You discover the malware on your network,
and then the malware reveals that this is how they've been communicating. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And that's Research Saturday brought to you by N2K CyberWire. Our thanks to Dick O'Brien from Symantec's Threat Hunter team for joining us.
The research is titled Graph, Growing Number of Threats Leveraging Microsoft API.
You can find a link and additional resources in our show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karf.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening. Thank you. the product's platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.