This article is more than 1 year old

Cloud services proving handy for cybercriminals, SANS Institute warns

Flying horses, gonna pwn me away...

RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

"It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

In fact, many of the SANS Institute's dangerous "new" attack techniques fall into the what's-old-is-new-again category, which all of the panelists acknowledged. 

Like stalkerware and worms. Heather Mahalik, a senior director of digital intelligence at SANS Institute, noted that attackers are using "new techniques" on these old attack methods.

With living off the cloud attacks, Nickels said these groups are using common SaaS and IaaS, which makes their activity look like trusted cloud traffic. "We all use cloud services legitimately in our organizations, and stuff goes right through those firewalls and proxies," she said. "This is one of the reasons adversaries are doing this living off the cloud." 

In one such tell of a SaaS exploit, discovered by Lacework's Jared Stroud, attackers took advantage of Ngrok, which sets up a reverse proxy fronting web services running in the cloud. Developers can use it to share out code without having to bother with domain hosting. "I can use Ngrok software to really easily get a URL that anyone can access, it goes right through the firewall, instant URL sharing out," Nickels said.

We're told attackers also used this cloud service to send an Ngrok domain, via a phishing email, and once a user clicks on the link, Ngrok sets up a tunnel that makes it easy for miscreants to send malicious payload through to the victim's device.

How does SANS suggest organizations detect and respond to these types of attacks? First, get rid of the idea that it's possible to block all of the bad domains, Nickels said. When attackers use legitimate cloud services, this simply won't work. 

The classic SANS "know normal, find evil" advice still holds true, she added. "​​And lastly, when you find abuse of these cloud services, it's not the cloud provider's fault. Report it to them … so cloud providers can help make this better."

Watchout for the flying horse

Mahalik, meanwhile, talking about stalkerware, pointed to Pegasus, the very expensive spyware developed by NSO Group that can extract data and carry out other espionage. 

"This attack literally flies through the air, lands on your iOS or Android device," Mahalik said. "You don't click it, and it immediately self-installs, which is where my job becomes very difficult. It also self-destructs." 

The flying horse malware can be installed on a victim's phone without any user interaction. And once it's deployed, the NSO customer controlling that instance of Pegasus has access to everything on the victim's device, including text messages, phone calls, emails, passwords, and photos.  

And, much like how criminals still find success using old attack methods, enterprises and individuals still need to pay attention to basic cyber hygiene, Mahalik said. "Update your devices, reboot your devices, create your backups, use mobile device management and do not blindly click on things you don't know what they are." ®

More about


Send us news

Other stories you might like