Russian Adversaries Target DropBox and Google Drive in New Campaign

Russian adversaries are taking advantage of trusted cloud services, including DropBox and Google Drive to deliver malware to businesses and governments, according to new research.

Cloaked Ursula – AKA the Russian government-linked APT29 or Cozy Bear – is increasingly using popular online storage services because it makes attacks difficult to detect and prevent, researchers at Palo Alto Networks Unit 42 wrote in a report.

Believed to have targeted several Western diplomatic missions and foreign embassies between May and June 2022, the recent campaigns were masked as an agenda for an upcoming meeting with an ambassador. But the phishing documents contained a link to a malicious HTML file that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.

Palo Alto Networks disclosed the activity to Google and DropBox, which have taken action to block it. However, the Unit 42 researchers have warned organizations and governments to be on high alert. “In light of APT 29’s new tactics, organizations should be concerned about their abilities to identify, inspect and stop unwanted traffic to legitimate cloud storage providers.”

Cozy Bear has previously used legitimate cloud services to deliver malware, but the two most recent campaigns leveraged Google Drive cloud storage services for the first time. “The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning,” the researchers said.

When the use of trusted cloud services is combined with encryption, it becomes “extremely difficult” for organizations to detect malicious activity, they warned.

The attack is “hardly surprising,” given that services such as these are used by a large number of organizations, said independent security researcher Sean Wright. “It makes it difficult to tell what is legitimate and what is potentially malicious, so from an attacker perspective, this is an incredibly powerful tool to hide their malicious content and actions.”

To help reduce risk, Wright recommends organizations choose a single service. In addition, Wright advised firms to ensure they use enterprise or business versions. “These often come with extra controls that can help reduce the likelihood of attacks or help gain extra visibility to hopefully catch them in action.”

Source

Russian adversaries are taking advantage of trusted cloud services, including DropBox and Google Drive to deliver malware to businesses and governments, according to new research.

Cloaked Ursula – AKA the Russian government-linked APT29 or Cozy Bear – is increasingly using popular online storage services because it makes attacks difficult to detect and prevent, researchers at Palo Alto Networks Unit 42 wrote in a report.

Believed to have targeted several Western diplomatic missions and foreign embassies between May and June 2022, the recent campaigns were masked as an agenda for an upcoming meeting with an ambassador. But the phishing documents contained a link to a malicious HTML file that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.

Palo Alto Networks disclosed the activity to Google and DropBox, which have taken action to block it. However, the Unit 42 researchers have warned organizations and governments to be on high alert. “In light of APT 29’s new tactics, organizations should be concerned about their abilities to identify, inspect and stop unwanted traffic to legitimate cloud storage providers.”

Cozy Bear has previously used legitimate cloud services to deliver malware, but the two most recent campaigns leveraged Google Drive cloud storage services for the first time. “The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning,” the researchers said.

When the use of trusted cloud services is combined with encryption, it becomes “extremely difficult” for organizations to detect malicious activity, they warned.

The attack is “hardly surprising,” given that services such as these are used by a large number of organizations, said independent security researcher Sean Wright. “It makes it difficult to tell what is legitimate and what is potentially malicious, so from an attacker perspective, this is an incredibly powerful tool to hide their malicious content and actions.”

To help reduce risk, Wright recommends organizations choose a single service. In addition, Wright advised firms to ensure they use enterprise or business versions. “These often come with extra controls that can help reduce the likelihood of attacks or help gain extra visibility to hopefully catch them in action.”

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!