Cloud Services

Information

• Name: Cloud Services

• ID: T1021.007

• Tactics: TA0008

• Technique: T1021

Introduction

Cloud Services [T1021.007] is a sub-technique categorized under the MITRE ATT&CK framework's "Remote Services" (T1021) tactic. It describes adversaries leveraging legitimate third-party cloud services to gain unauthorized remote access and maintain persistence within compromised environments. Attackers utilize cloud infrastructure, such as cloud storage, compute instances, or APIs, to establish covert channels, execute commands, exfiltrate data, or manage compromised systems remotely. Due to the ubiquitous nature and legitimate use of cloud services, detecting malicious activities becomes challenging, providing adversaries a stealthy approach to maintain access and evade detection.

Deep Dive Into Technique

Adversaries implementing the Cloud Services sub-technique typically exploit legitimate cloud providers such as AWS, Azure, Google Cloud Platform, Dropbox, Google Drive, GitHub, and similar platforms. The technical execution methods and mechanisms include:

• Command-and-Control (C2) Infrastructure:

  • Attackers set up cloud-hosted virtual machines or containers to serve as C2 servers.

  • Leveraging legitimate cloud APIs (such as AWS EC2, Azure Functions, or Google Cloud Run) to relay commands and responses between compromised hosts and attacker-controlled infrastructure.

  • Utilizing cloud storage services (Amazon S3, Azure Blob Storage, Google Cloud Storage) for hosting payloads, scripts, or exfiltrated data.

• Data Exfiltration and Persistence:

  • Using cloud storage buckets or cloud databases to store stolen information.

  • Creating scheduled tasks or cron jobs on compromised hosts that periodically communicate with cloud infrastructure to maintain persistent access.

• Stealth and Evasion Techniques:

  • Encrypting outbound traffic to cloud services to evade detection by network monitoring solutions.

  • Utilizing legitimate cloud service domains, making it difficult to differentiate malicious traffic from normal business operations.

  • Leveraging OAuth tokens or API keys stolen from legitimate users or services to authenticate and interact with cloud resources.

• Commonly Exploited Cloud Services:

  • Amazon Web Services (AWS): EC2, Lambda, S3, Route 53

  • Microsoft Azure: Virtual Machines, Azure Functions, Azure Storage

  • Google Cloud Platform (GCP): Compute Engine, Cloud Functions, Cloud Storage

  • Dropbox, Google Drive, GitHub, Pastebin for data hosting and C2 communication

When this Technique is Usually Used

Attack scenarios and stages where adversaries frequently employ Cloud Services [T1021.007] include:

• Initial Access:

  • Attackers may leverage cloud-hosted payloads or scripts during phishing campaigns, enticing users to download malicious content from legitimate cloud domains.

• Execution and Command-and-Control:

  • Establishing remote command-and-control channels via cloud-hosted services to control compromised endpoints remotely.

• Persistence:

  • Cloud infrastructure enables attackers to maintain persistent access by periodically polling cloud-hosted resources for commands or payload updates.

• Data Exfiltration:

  • Using cloud storage services to store and retrieve stolen data securely and discreetly.

• Defense Evasion:

  • Attackers use legitimate cloud domains and encrypted traffic to bypass traditional network monitoring and detection systems.

• Lateral Movement and Privilege Escalation:

  • Cloud APIs and services may be leveraged to move laterally between cloud-hosted resources or escalate privileges within cloud environments.

How this Technique is Usually Detected

Detection methods and tools commonly employed to identify malicious usage of Cloud Services include:

• Network Traffic Analysis:

  • Monitoring network traffic for unusual communications to cloud service endpoints or APIs.

  • Identifying anomalous outbound connections, data transfers, or traffic patterns to cloud services during odd hours or from unusual sources.

• Endpoint Detection and Response (EDR):

  • Detecting suspicious processes or scripts interacting with cloud APIs or storage services.

  • Monitoring scheduled tasks, cron jobs, or scripts executing periodic communication with cloud resources.

• Cloud Access Security Brokers (CASBs):

  • Monitoring and analyzing cloud service usage to detect abnormal or unauthorized access patterns.

  • Identifying unusual API calls, credential usage, or resource creation/deletion events.

• Log Analysis and SIEM Solutions:

  • Analyzing cloud service logs for suspicious API calls, authentication events, or resource interactions.

  • Correlating endpoint logs, network traffic, and cloud service logs to identify coordinated malicious activities.

• Specific Indicators of Compromise (IoCs):

  • Unusual IP addresses or regions accessing cloud resources.

  • API authentication failures or abnormal API call patterns.

  • Suspicious cloud storage buckets or compute instances created without proper authorization or business justification.

  • Unusual file types or encrypted archives uploaded to cloud storage services.

Why it is Important to Detect This Technique

Early detection and mitigation of Cloud Services abuse are critical due to the following potential impacts:

• Data Breach and Exfiltration:

  • Attackers can exfiltrate sensitive data discreetly to cloud storage, causing significant financial, regulatory, and reputational damage.

• Persistence and Long-term Compromise:

  • Cloud infrastructure provides attackers with persistent and resilient command-and-control channels, complicating incident response and remediation.

• Stealth and Detection Evasion:

  • Legitimate cloud services usage complicates detection, allowing adversaries to operate undetected for extended periods.

• Financial Costs:

  • Unauthorized cloud resource usage can lead to unexpected financial charges and resource consumption.

• Regulatory and Compliance Risks:

  • Unauthorized and malicious cloud usage may lead to compliance violations, fines, and loss of customer trust.

• Operational Disruption:

  • Malicious cloud activities can lead to service outages, resource exhaustion, or unauthorized access to critical infrastructure.

Detecting and preventing malicious use of cloud services ensures timely incident response, reduces financial and operational impacts, and maintains regulatory compliance and organizational reputation.

Examples

Real-world examples showcasing Cloud Services [T1021.007] usage in attacks include:

• APT29 (Cozy Bear):

  • Utilized legitimate cloud services such as Dropbox and Google Drive to host payloads and exfiltrate data.

  • Leveraged cloud-hosted infrastructure to conduct command-and-control operations, reducing the likelihood of detection.

• FIN7 Cybercrime Group:

  • Leveraged AWS S3 buckets and Azure Blob Storage to store and exfiltrate stolen credit card data and sensitive information.

  • Used cloud-hosted scripts and payloads to maintain persistence and operate undetected within compromised environments.

• DarkHydrus Threat Group:

  • Hosted malicious payloads and scripts on legitimate cloud services (e.g., Google Drive) to distribute malware and maintain persistent access.

• TeamTNT Malware Campaign:

  • Targeted cloud environments to deploy cryptomining malware.

  • Leveraged AWS APIs and cloud-hosted scripts to spread laterally and maintain persistent access within compromised cloud infrastructure.

• Rocke Group:

  • Utilized cloud-hosted payloads and scripts to infect Linux servers, install cryptominers, and establish persistent communication channels via cloud-hosted infrastructure.

These real-world examples highlight adversaries' strategic use of cloud infrastructure to achieve stealth, persistence, and effective data exfiltration, underscoring the importance of robust detection and monitoring strategies.