A new report published this week by Cyber Squared reveals how Chinese hackers abuse major cloud-based platforms in all the phases of their attacks.According to researchers, the Chinese Advanced Persistent Threat (APT) group that targeted The New York Times last year used both Dropbox and WordPress to carry out its missions.
In the first phase of the attack, the APT group uploads malicious files to a free Dropbox account and sends links to the binaries, via email, to the targets.
The advantage of using Dropbox is that the attackers anonymize themselves, and they mask their intentions behind the trusted Dropbox brand. In addition, the malicious content is delivered via a method that evades traditional detection and mitigation systems.
The file hosted on Dropbox appears to be a harmless document, for example a policy document from the Association of Southeast Asian Nations (ASEAN).
In reality, the document is crafted so that when it’s opened, it exploits vulnerabilities in the software installed on the targeted computer in an effort to drop a piece of malware. To avoid raising any suspicion, a legitimate document is displayed.
Once the threat infects a computer, the second phase of the attack starts. The malware connects to a WordPress blog from which it retrieves command and control (C&C) information.
The C&C data is hidden in plain sight within news articles related to geopolitical events.
“This serves as yet another example of how sophisticated threats are successfully leveraging trusted SPI to facilitate the initial targeting and C2 phases of their exploitation operations. Few enterprise net defense teams are adequately resourced or enabled to detect targeted attacks and subsequent C2 web sessions that use trusted SPI chaining techniques,” Cyber Squared noted.
Commenting on the report, Solutionary SERT’s Director of Research, Rob Kraus, says we shouldn’t be surprised that legitimate cloud services are abused in such a manner.
“Cloud infrastructure has been used to host malware content used in conjunction with droppers and downloader components for malware for some time. Identification of the use of WordPress and Dropbox should not surprise anyone; if it does, we have a lot more work to do,” Kraus said in a mailed statement to Softpedia.
“Regardless of whether or not this is an APT or standard mass distributed malware, it is not real surprise the attackers are using legitimate infrastructure and cloud computing to accomplish their goals,” he added.
“The real story here is, now that we know this information, what will Dropbox and WordPress do to help mitigate the risk? They must have a process for taking down or disabling accounts if they are identified as malware/APT C&C hosts.”