Workspace applications are increasingly being weaponized as a Living off the Land (LOTL) technique, as threat actors find new ways to break in and execute attacks. The DTEX i3 Team has issued a Threat Advisory to provide insight on how malicious insiders are exploiting commonly trusted tools, such as Google Workspace, to steal data and evade detection.
Command and Control (C&C or C2) has been used by hackers for years to perform nefarious acts, including (but hardly limited to) data theft and malware distribution. Once inside the organization, usually thanks to a successful phishing attack, the threat actor becomes the organization’s most powerful insider threat – not only can they remotely control and manipulate victim devices, but they can often get away with it.
Last year Google’s Threat Analysis Group (TAG) disrupted a cyber espionage attack by APT41 – a Chinese hacking group, also known as BARIUM, and one of the FBI’s “Most Wanted.” The group used Google Command and Control (GC2) – a popular open-source red teaming tool – to carry out spear phishing attacks against a Taiwanese media company. The emails linked to a password-protected file (containing GC2) in Google Drive. Thanks to GC2, the group was able to execute commands from Google Sheets and exfiltrate data from Google Drive on the victims’ machines.
What sparks ongoing interest and concern about this case lies in the detection piece.
“This issue with the GC2 method is that most organizations will consider the use of Google Cloud and its products in the corporate environment to be benign,” our latest Insider Threat Advisory reads.
“Even if an analyst saw “sheets.google.com” as an exfiltration detection, there is a good chance they would consider it as a false positive and move on.”
With foreign interference on the rise, and nation state appetite for sensitive IP at an all-time high, there is no doubt that LOTL attacks will increase in stealth and frequency.
In fact, our latest Insider Risk Investigations Report confirms this reality; based on our own investigations where user actions were found to be intentional, 77% of super malicious insiders attempted to conceal their activity to evade detection:
- 35% attempted to conceal the source of their internet connection, including private browsers, VPN, mobile hotspots etc.
- 95% of super malicious insiders were able to avoid using ATT&CK techniques in a deliberate attempt to fly under the radar.
- 26% increase in the usage of burner email and encrypted messaging accounts since 2022.
The APT41 case noted above is but one example of how this can play out. It is also a prime example of how the lines between internal and external threats are rapidly blurring, as nation states employ a diverse mix of tactics to achieve their mission (if this is a topic you are interested in, make sure you catch us at RSA for our ‘Blurred Lines’ discussion with Kevin Mandia (Mandiant) and Brad Maiorino (RTX)).
While there is no quick security patch for LOTL attacks, there are several early detections and mitigations that can be leveraged to deter and disrupt malicious activity before significant harm occurs.
Our latest i3 Insider Threat Advisory dives into the weeds, providing actionable steps to address the risks associated with the use of Google Sheets and personal Google Drive. While this advisory focuses on GC2, the reality is the same risks apply to all cloud storage applications that can be leveraged for corporate and personal use, and where there are automations at play.
Read our latest Threat Advisory to understand the risk of exfiltration in trusted workspace applications and the detections needed to stay protected.