Summary:
In the past year, there has been an increase in the number of threat actors leveraging legitimate cloud services in attacks. According to researchers at Symantec, trusted services like Microsoft OneDrive or Google Drive are frequently being abused given that traffic to and from such services is less likely to raise red flags than communications with attack-controlled infrastructure. Several different malware campaigns have been observed by Symantec leveraging these services, which have been highlighted below:

• GoGra: Gogra is a backdoor written in the Go programming language that was deployed against a media organization in South Asia in November 2023. The backdoor used the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services.
• Grager: Grager is a backdoor that was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. This payload was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip and used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive.
• Onedrivetoools: Onedrivetools is a multi-stage backdoor that was deployed against IT services companies in the U.S. and Europe. Researchers note that the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it.
• BirdyClient: BirdyClient is a relatively new malware strain that was uncovered by Symantec in May 2024. Notably, this malware also uses the Graph API to communicate with a OneDrive C&C server. The malware was used in an attack against an organization in Ukraine.

Security Officer Comments:
Taking a look at the above payloads, they all utilize Microsoft Graph, an API that is used to facilitate access to resources hosted on Microsoft cloud services, such as Microsoft 365, OneDrive, Outlook, and much more. This broad access to various services has sparked a keen interest among threat actors, as they can access a wide range of data and services such as email, calendar events, files, or devices, which can open the door for targeted phishing, lateral movement, and other malicious operations. Furthermore, communications with the Microsoft Graph API are encrypted, making it challenging for network monitoring tools to inspect the contents of the data being transmitted. Given that organizations frequently use services like Office 365 and OneDrive, traffic to and from the Graph API is less likely to raise suspicion, making detection all the more difficult.

Suggested Corrections:
Symantec recommends:

• Block cloud services not used by your organization
• Profile network traffic and monitor for network anomalies

• e.g. Large file is uploaded to a cloud service

• Use application whitelisting where applicable

• Block non-browser processes connecting to cloud services

• Identify critical assets in your organization and monitor them for exfiltration of data
• Activate host based and cloud audit logs

Link(s):
https://symantec-enterprise-blogs.security.com/threat-intelligence/cloud-espionage-attacks