1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Web Service
  5. Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Cloud Storage

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Angreifer können Daten zu einem Cloud-Speicherdienst exfiltrieren, anstatt über ihren primären Befehls- und Kontrollkanal. Cloud-Speicherdienste ermöglichen das Speichern, Bearbeiten und Abrufen von Daten von einem entfernten Cloud-Speicher-Server über das Internet.

Beispiele für Cloud-Speicherdienste sind Dropbox und Google Docs. Die Exfiltration zu diesen Cloud-Speicherdiensten kann dem Angreifer eine erhebliche Deckung bieten, wenn Hosts innerhalb des Netzwerks bereits mit dem Dienst kommunizieren.

Les adversaires peuvent exfiltrer des données vers un service de stockage en nuage plutôt que sur leur canal principal de commande et de contrôle. Les services de stockage en nuage permettent de stocker, de modifier et de récupérer des données à partir d'un serveur de stockage en nuage distant sur Internet.

Dropbox et Google Docs sont des exemples de services de stockage en nuage. L'exfiltration vers ces services de stockage en nuage peut fournir une couverture importante à l'adversaire si les hôtes du réseau communiquent déjà avec le service.

Gli avversari possono esfiltrare i dati su un servizio di cloud storage piuttosto che sul loro canale primario di comando e controllo. I servizi di cloud storage permettono di archiviare, modificare e recuperare dati da un server remoto di cloud storage su Internet.

Esempi di servizi di cloud storage includono Dropbox e Google Docs. L'esfiltrazione a questi servizi di cloud storage può fornire una quantità significativa di copertura all'avversario se gli host all'interno della rete stanno già comunicando con il servizio.

Login
ID: T1567.002
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Requires Network:  Yes
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
S0635 BoomBox

BoomBox can upload data to dedicated per-victim folders in Dropbox.[1]
S0651 BoxCaon

BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[2]
G0114 Chimera

Chimera has exfiltrated stolen data to OneDrive accounts.[3]
S0538 Crutch

Crutch has exfiltrated stolen data to Dropbox.[4]
S0363 Empire

Empire can use Dropbox for data exfiltration.[5]
G0046 FIN7

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[6]
G0125 HAFNIUM

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[7]
S0037 HAMMERTOSS

HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.[8]
G0065 Leviathan

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[9][10]
S0340 Octopus

Octopus has exfiltrated data to file sharing sites.[11]
S0629 RainyDay

RainyDay can use a file exfiltration tool to upload specific files to Dropbox.[12]

G0010 Turla

Turla has used WebDAV to upload stolen USB files to a cloud drive.[13] Turla has also exfiltrated stolen files to OneDrive and 4shared.[14]
G0128 ZIRCONIUM

ZIRCONIUM has exfiltrated stolen data to Dropbox.[15]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

Analysieren Sie die Netzwerkdaten auf ungewöhnliche Datenströme (z.B. ein Client, der deutlich mehr Daten sendet als er von einem Server empfängt) zu bekannten Cloud-Speicherdiensten. Prozesse, die das Netzwerk nutzen, die normalerweise keine Netzwerkkommunikation haben oder noch nie gesehen wurden, sind verdächtig. Die Überwachung des Benutzerverhaltens kann helfen, abnormale Aktivitätsmuster zu erkennen.

Analysez les données du réseau pour détecter les flux de données inhabituels (par exemple, un client qui envoie beaucoup plus de données qu'il n'en reçoit d'un serveur) vers des services de stockage en nuage connus. Les processus utilisant le réseau qui n'ont pas de communication réseau normale ou qui n'ont jamais été vus auparavant sont suspects. La surveillance du comportement des utilisateurs peut aider à détecter des modèles d'activité anormaux.

Analizzi i dati di rete alla ricerca di flussi di dati insoliti (ad esempio, un cliente che invia molti più dati di quanti ne riceva da un server) verso servizi di cloud storage conosciuti. I processi che utilizzano la rete che normalmente non hanno comunicazioni in rete o che non sono mai stati visti prima sono sospetti. Il monitoraggio del comportamento degli utenti può aiutare a rilevare modelli di attività anormali.

References

  1. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  2. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  3. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  4. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  5. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  6. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  7. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  8. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  1. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  2. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  3. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  4. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  5. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  6. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  7. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.