www.recordedfuture.com
Open in
urlscan Pro
104.18.43.111
Public Scan
URL:
https://www.recordedfuture.com/threat-actors-leverage-internet-services-to-enhance-data-theft-and-weaken-security-defenses
Submission: On November 23 via api from US — Scanned from US
Submission: On November 23 via api from US — Scanned from US
Form analysis 0 forms found in the DOM
Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Careers * Contact Us * Login * ENJPKO EN * Platform * Solutions * Products * Services * Research * Resources * Company Get a demo Book a demo Research (Insikt) THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN SECURITY DEFENSES Posted: 16th August 2023 By: Insikt Group New Insikt research highlights an emerging trend where threat actors are increasingly exploiting trusted platforms like Google Drive, OneDrive, Notion, and GitHub to conceal malicious activities within normal internet traffic. This tactic enhances their efficiency in data theft and operations while weakening conventional defenses. Advanced persistent threat (APT) groups are at the forefront of this strategy, with less sophisticated groups following suit. This underscores the need for adaptable defense strategies that evolve alongside threat actor innovations. The report addresses a crucial gap in understanding by offering a systematic overview of legitimate internet services (LIS) abuse across malware categories. It predicts a further increase in LIS abuse due to advantages enjoyed by threat actors and the challenges faced by defenders. The lack of comprehensive reporting makes it difficult to quantify the trend definitively, but the prevalence of LIS abuse by well-established malware families, the adoption of these methods by newer strains, and the rapid innovation by APT groups all suggest an increasing trend in LIS abuse for adversary infrastructure. Overview of a full C2 infrastructure setup using LIS As threat actors continue to evolve their tactics, traditional defenses like indicator of compromise (IOC) blocking and basic detections will become less effective. A multi-faceted approach, encompassing network-, file-, and log-based detection methods, is proposed. Defenders should also proactively identify potentially vulnerable internet services and conduct attack simulations to stay ahead. The report's analysis of over 400 malware families reveals that 25% of them abuse LIS in some capacity, with 68.5% of those families abusing more than one LIS. Infostealers are the most likely to exploit LIS (37%), driven by their data exfiltration objectives and ease of infrastructure setup. Different malware categories adopt distinct infrastructure schemes. Cloud storage platforms like Google Drive are the most commonly abused, followed by messaging apps like Telegram and Discord. In the short term, defenders are advised to identify and block LIS that are not used within their environment but are known to be used maliciously. For long-term security, organizations should invest resources in understanding both legitimate and malicious uses of specific services. This understanding will facilitate the development of more effective and nuanced detection methods. Technologies like TLS network interception are gaining relevance for improved visibility, though they also introduce privacy and compliance concerns. Despite the challenges, defenders can implement measures such as blocking or flagging malicious LIS usage, proactive threat hunting, and focusing on a diverse range of detection methods. Developing a comprehensive understanding of legitimate and malicious service usage is crucial for effective detection mechanisms and overall protection. The next report in the series will delve into the abuse of a specific LIS category used as malicious infrastructure. To read the entire analysis with endnotes, click here to download the report as a PDF. RELATED RESEARCH (INSIKT) Research (Insikt) AS BLACK FRIDAY APPROACHES, 3 KEY TRENDS OFFER INSIGHTS FOR MITIGATING ONLINE SHOPPING SCAMS Insikt Group's analysis of high-impact scam website campaigns before Black Friday reveals key scammer themes and protective measures for consumers and businesses. View Research (Insikt) Research (Insikt) IMPROVING AUTOMATION AND ACCESSIBILITY DRIVE $100 BILLION IN PROJECTED AD FRAUD LOSSES Ad fraud, amplified by automation and accessible bot software, inflates ad metrics for personal gain, lowering entry barriers and escalating its threat. View Research (Insikt) Research (Insikt) CHARTING CHINA’S CLIMB AS A LEADING GLOBAL CYBER POWER Chinese state-sponsored cyber operations have transformed, emerging as a more mature, stealthy, and coordinated threat than in previous years. View Research (Insikt) ABOUT US * Intelligence Cloud * Services & Support * Why Recorded Future * Research * Resources * Company HELPFUL LINKS * Careers * Contact Us * Get a Demo * The Intelligence Graph -------------------------------------------------------------------------------- JOIN US ONLINE * * * * * READY TO JOIN? Contact us today Copyright © 2023 Recorded Future, Inc. * Security FAQ * Cookies * Privacy Policy * Terms & Conditions