i³ Threat Advisory: Mitigating Living off the Land Attacks Using Insider Risk Monitoring

1. Block access to consumer accounts, which can be achieved by:
   a. Block access to consumer accounts | Google Workspace Admin Help.
   b. Block access to consumer accounts | Microsoft Learn.
   (Note this may also require application allowlisting of browsers on corporate devices).
2. Configure user settings for Google Cloud to only allow users who need to create Projects the permissions: Turn Google Cloud on or off for users | Google Workspace Admin Help.
3. Monitor users that do have permissions more closely.
4. Implement application allowlisting within the corporate environment.

INTRODUCTION

In April 2023, news broke about how APT41, a Chinese cyber threat group, was abusing the Google Command and Control (GC2) red teaming tool as part of a cyber espionage/data theft attack against a Taiwanese media company. Command and control (C2) is often part of the Cyber Kill Chain where the threat actor gains remote control of the victim endpoint in order to perform malicious actions and exfiltrate data. Insiders can use C2 to circumvent existing methods of detection and Data Loss Prevention (DLP) programs. This issue with the GC2 method is that most organizations will consider the use of Google Cloud and its products in the corporate environment to be benign. Even if an analyst saw “sheets.google.com” as an exfiltration detection, there is a good chance they would consider it as a false positive and move on. This type of Living off the Land (LOTL) technique, that is present in all services that are similar, is a popular tactic among external threat actors and is increasingly being seen in insider threat investigations.

A customer recently asked the DTEX i³ team to create a profile for this type of attack. Given the mitigations listed above can be time-consuming to implement, having intermediary detections in place will significantly help reduce the risk of compromise and data loss in the short term. The detection rules provided below can be stacked with other behavioral rules to provide more context into a user’s activity to provide early warnings indicators and mitigation of potential data exfiltration.

OPERATIONAL SCENARIOS

The DTEX i³ team has observed several organizations exposed to insider risks due to inadequate controls around the use of Google Workspace and the use of personal Google Drive in their corporate environments. One of the biggest risks is a user evading detection to successfully exfiltrate data (either knowingly or not) by uploading files directly to Google Drive. Network monitoring is unlikely to flag the upload as a risk because the Google domains are generally considered safe and likely generate a significant amount of user traffic.

The following video highlights the risk in action and the mitigations available:

Video Timestamps
00:00 Introduction
01:05 Use case and reference material
02:54 Reference material mitigations
03:42 Additional mitigations
05:06 Practical demonstration
10:24 What the GC2 is doing on the victim endpoint
11:23 Actionable GC2 detections and endpoint indicators
13:05 Further mitigation advice
13:37 Final words including what we are currently seeing.

EARLY DETECTION AND MITIGATION

The DTEX i³ team recommends organizations take the following steps to help mitigate the risks associated with the use of Google Workspace and personal Google Drive.

Block Access to Consumer Accounts

As per the mitigations listed above, it is worth considering preventing users from signing into personal Google accounts. There are the options provided to do this for both Google Chrome and Microsoft Edge, but IT administrators should also research and implement this for other browsers that are used within their environment.

This is ideal since the corporate Google Cloud accounts will usually be allowed to be monitored more heavily than personal accounts (due to privacy regulations). In addition, organizations should have well-thought-out end-to-end data handling to ensure employees are set up for success to negate any need for them to use personal drives.

Restrict User Access to Google Cloud Settings

There may be a concern that users may still use GC2 to exfiltrate data using their corporate Google Workspace account, especially if they are allowed to access this service on non-corporate devices. Restricting users from accessing Google Cloud settings is a proactive approach that organizations can take to stop data exfiltration from occurring.

Monitor Users with the Permissions Granted

Some organizations may have a need to create projects and use the API functionality that would allow GC2 to work. This risk needs to be considered by the business leaders and then additional monitoring of those user accounts is always recommended. This is a common recommendation for all user accounts that have elevated privileges.

Implement Application Allowlisting

Implementing application allowlisting has two direct benefits. Firstly, the number of browsers that IT administrators would need to block access to consumer accounts for is reduced to only those that are permitted within an organization. Secondly, it would prevent unsigned and non-approved applications like the binary used as part of GC2 from ever executing on an organization’s corporate endpoint.

Application allowlisting provide significant benefits not only in fortifying against insider threats but also for improving an organization’s cybersecurity program overall.

INVESTIGATION

The detection for GC2 relies heavily on the current format of the Proof of Concept (PoC). It is highly recommended to implement the above mitigating controls as soon as possible to prevent insider threat activity like this or similar.

DTEX has created two new rules as part of its latest intelligence package that can be used to detect this C2 technique. Below we will discuss how each works and then the limiting factors in reference to the PoC code.

CONCLUSION

Organizations have rapidly shifted workflows to cloud-based systems not only for the benefits of cost savings and remote collaboration but also for the reduction in maintenance and upkeep of on-premises systems.

The LOTL techniques presented in this i³ Insider Threat Advisory are not unique to Google Cloud and its products, however due to the increased publicity of APT41 and available PoC, exfiltration attempts using GC2 are expected to increase in 2024. Having robust monitoring in place, performing regular penetration tests and red team exercises, and staying on top of the latest PoC exploits relating to your environment are critical for proactively mitigating the risks of data exfiltration.

INVESTIGATIONS SUPPORT

For intelligence or investigations support, contact DTEX i³ team.

RESOURCES

GitHub looCiprian/GC2-sheet

The GitHub repository that is referenced in this advisory provides a proof-of-concept (PoC) to execute the C2 server using Google Sheets.

Block access to consumer accounts – Google Workspace Admin Help

Block access to consumer accounts | Microsoft Learn

Turn Google Cloud on or off for users – Google Workspace Admin Help

The above is not an exhaustive list of implementations of how to block personal Gmail and Google Drive access on corporate accounts. Organizations should take a more structured view of approaching workflows and security to ensure the least amount of friction is introduced along with improving security.