RSA Conference Living off the land is so 2021. Cybercriminals live off the cloud these days, according to Katie Nickels, director of intelligence for Red Canary and certified SANS instructor.
“It’s not enough to pay attention to operating systems, to endpoints,” Nickels said, speaking during a SANS Institute panel on the most dangerous new attack techniques at the RSA conference. “Adversaries, for most of their intrusions, use cloud services of various types.”
And yes, living off the ground (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on businesses and other nefarious activities, is not a new kind of attack, Nickels admitted. “But what’s new here are the levels at which the use of cloud services [for cyberattacks] increased.”
In fact, many of the SANS Institute’s dangerous “new” attack techniques fall into the “old is new” category, which all panelists acknowledged.
Like stalkerware and worms. Heather Mahalik, senior director of digital intelligence at the SANS Institute, noted that attackers are using “new techniques” on top of these old attack methods.
With live cloud attacks, Nickels said these groups use common SaaS and IaaS, making their business look like trusted cloud traffic. “We all use cloud services legitimately in our organizations, and things go right through those firewalls and proxies,” she said. “That’s one of the reasons adversaries live off the cloud.”
In one such account of a SaaS exploit, uncovered by Jared Stroud of Lacework, attackers took advantage of Ngrok, which sets up a reverse proxy facing web services running in the cloud. Developers can use it to share code without having to worry about domain hosting. “I can use the Ngrok software to get a URL that anyone can access very easily, it goes right through the firewall, instant URL sharing,” Nickels said.
We are told that attackers have also used this cloud service to send an Ngrok domain, via a phishing email, and once a user clicks on the link, Ngrok sets up a tunnel that allows the bad guys to easily send a malicious payload to the victim’s device. .
How does SANS suggest organizations detect and respond to these types of attacks? First, get rid of the idea that it’s possible to block all bad domains, Nickels said. When attackers use legitimate cloud services, it just won’t work.
The classic SANS advice “know the normal, find the wrong” still stands, she added. “And finally, when you see abuse of these cloud services, it’s not the fault of the cloud provider. Report it to them…so the cloud providers can help improve this.”
Watch out for the flying horse
Mahalik, meanwhile, speaking of stalkerware, pointed to Pegasus, the very expensive spyware developed by NSO Group that can extract data and conduct other espionage activities.
“This attack literally flies through the air, lands on your iOS or Android device,” Mahalik said. “You don’t click on it, and it installs immediately, which is where my job gets very difficult. It also self-destructs.”
Flying Horse malware can be installed on a victim’s phone without any user interaction. And once deployed, the NSO client controlling this instance of Pegasus has access to everything on the victim’s device, including text messages, phone calls, emails, passwords, and photos.
And, just like how criminals still manage to use old methods of attack, businesses and individuals still need to pay attention to basic cyber hygiene, Mahalik said. “Update your devices, restart your devices, create your backups, use mobile device management, and don’t blindly click on things you don’t know what they are.” ®