The post-pandemic workplace environment has brought significant changes to the network security landscape. Organizations have started relying more on cloud storage solutions, like Google Drive and Dropbox, to carry out their day-to-day operations.

Cloud storage services provide a simple and secure way to cater to the needs of a remote workforce. But it's not only businesses and employees that are taking advantage of these services. Hackers are finding ways to leverage the trust in cloud services and make their attacks extremely difficult to detect.

How does it happen? Let's find out!

How Do Hackers Use Cloud Storage Services to Avoid Detection?

Although encrypted cloud storage services are typically trusted by users, it can be extremely difficult for companies to detect malicious activity. In mid-July 2022, researchers at the Palo Alto Networks discovered malicious activity leveraging cloud services by a group called Cloaked Ursa—also known as APT29 and Cozy Bear.

The group is believed to have connections to the Russian government and is responsible for cyberattacks against the US Democratic National Committee (DNC) and the 2020 SolarWinds supply chain hack. It's also involved in several cyber espionage campaigns against government officials and embassies around the world.

Its next campaign involves using legitimate cloud storage solutions like Google Drive and Dropbox to shield their activities. Here is how the group conduct these attacks.

The Modus Operandi of the Attack

Cloud services

The attack begins with phishing emails sent out to high profile targets at European embassies. It masquerades as invites to meetings with ambassadors and comes with a supposed agenda in a malicious PDF attachment.

The attachment contains a malicious HTML file (EnvyScout) hosted in Dropbox that would facilitate the delivery of other malicious files, including a Cobalt Strike payload to the user's device.

Researchers speculate that the recipient couldn't initially access the file in Dropbox, probably due to restrictive government policies on third-party applications. However, the attackers were quick to send a second spear phishing email with a link to the malicious HTML file.

Rather than using Dropbox, the hackers now rely on Google Drive storage services to hide their actions and deliver payloads to the target environment. This time, the strike wasn't blocked.

Why wasn't the threat blocked?

It appears that since many workplaces now rely on Google applications, including the Drive, to conduct their day-to-day operations, blocking these services is usually seen as inefficient to productivity.

The ubiquitous nature of cloud services and the customers' trust in them make this new threat extremely challenging or even impossible to detect.

What Is the Purpose of the Attack?

Like many cyberattacks, it appears that the intention was to use malware and create a backdoor onto an infected network to steal sensitive data.

Unit 42 at the Palo Alto Network has alerted both Google Drive and Dropbox to the abuse of their services. It's reported that appropriate action was taken against accounts involved in the malicious activity.

How to Protect Against Cloud Cyberattacks

Illustration of cloud security

Since most anti-malware and detection tools focus more on downloaded files instead of files in the cloud, hackers are now turning to cloud storage services to avoid detection. Although such phishing attempts aren't easy to detect, there are steps you can take to mitigate the risks.

  • Enable multi-factor authentication for your accounts: Even if user credentials are obtained in this manner, the hacker would still require access to the device that performs the multi-factor validation too.
  • Apply the Privilege of Least Principle: A user account or device need only enough access necessary for a specific case.
  • Revoke excessive access to sensitive information: Once a user is granted access to an application, remember to revoke those privileges when the access is no longer needed.

What Is the Key Takeaway?

Cloud storage services have been a huge game changer for organizations to optimize resources, streamline operations, save time, and take some security responsibilities off of their plate.

But as is clear from attacks like these, hackers have started leveraging cloud infrastructure to craft attacks that are harder to detect. The malicious file could have been hosted in Microsoft OneDrive, Amazon AWS, or any other cloud storage service.

Understanding this new threat vector is important, but the hard part is putting controls in place to detect and respond to it. And it appears that even the dominant players in tech are struggling with it.