To help reduce risk, Wright recommends organizations choose a single service.
“It makes it difficult to tell what is legitimate and what is potentially malicious, so from an attacker perspective, this is an incredibly powerful tool to hide their malicious content and actions.” The attack is “hardly surprising,” given that services such as these are used by a large number of organizations, said independent security researcher Sean Wright. When the use of trusted cloud services is combined with encryption, it becomes “extremely difficult” for organizations to detect malicious activity, they warned. “The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning,” the researchers said. “In light of APT 29’s new tactics, organizations should be concerned about their abilities to identify, inspect and stop unwanted traffic to legitimate cloud storage providers.”Ĭozy Bear has previously used legitimate cloud services to deliver malware, but the two most recent campaigns leveraged Google Drive cloud storage services for the first time. However, the Unit 42 researchers have warned organizations and governments to be on high alert.
Palo Alto Networks disclosed the activity to Google and DropBox, which have taken action to block it. But the phishing documents contained a link to a malicious HTML file that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload. Russian adversaries are taking advantage of trusted cloud services, including DropBox and Google Drive to deliver malware to businesses and governments, according to new research.Ĭloaked Ursula – AKA the Russian government-linked APT29 or Cozy Bear – is increasingly using popular online storage services because it makes attacks difficult to detect and prevent, researchers at Palo Alto Networks Unit 42 wrote in a report.īelieved to have targeted several Western diplomatic missions and foreign embassies between May and June 2022, the recent campaigns were masked as an agenda for an upcoming meeting with an ambassador.
0 kommentar(er)
