Hackers are capitalizing on the trust inherent in cloud services by increasingly exploiting them for malicious activities. The appeal lies in the difficulty of distinguishing their actions from legitimate traffic, particularly with platforms like Google Cloud and messaging services such as Telegram.
Researchers at threat intelligence firm Recorded Future emphasize the need to identify and restrict the unauthorized use of cloud services to counteract these attacks. The abuse of legitimate services, primarily by advanced persistent threat groups linked to nation-states, is growing, as evidenced by the analysis of over 400 malware families revealing that a quarter of them exploit legitimate cloud platforms.
These attackers prefer to operate from trusted sites to mask their activities, making it harder to detect data exfiltration, command-and-control operations, and the distribution of malicious payloads. Utilizing existing infrastructure proves more cost-effective and efficient for hackers than setting up their own hosting services. The report points out that cloud storage services, especially Google Cloud, are the prime targets, followed by messaging platforms like Telegram and email services.
Even services like OneDrive, Discord, and Gmail SMTP have been abused. Criminals tailor their choice of service to their specific needs, such as using cloud storage for ransomware campaigns like mega.io or MegaSync.T
he strategy employed by these attackers is not foolproof; major service providers’ threat-hunting teams are actively working to detect malicious activities. Researchers and experts are advised to implement short-term measures like flagging or outright blocking unauthorized usage of legitimate internet services, while a long-term approach includes implementing robust defenses that allow legitimate use while thwarting malicious intent.
However, implementing these strategies may pose privacy and compliance concerns, particularly when decrypting encrypted network data using TLS network interception tools. In addition, continuous simulated attacks and rigorous monitoring are suggested to ensure preparedness against evolving hacker tactics.
