Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection.
This is done to “facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.
2021 in connection with an activity cluster dubbed Harvester that was found using a custom implant known as Graphon that utilized the API to communicate with Microsoft infrastructure.
Symantec said it recently detected the use of the same technique against an unnamed organization in Ukraine, which involved the deployment of a previously undocumented piece of malware called BirdyClient (aka OneDriveBirdyClient).
The development comes as Permiso revealed how cloud administration commands could be exploited by adversaries with privileged access to execute commands on virtual machines.
“Most times, attackers leverage trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments by compromising third-party external vendors or contractors who have privileged access to manage internal cloud-based environments,” the cloud security firm said.
“By compromising these external entities, attackers can gain elevated access that allows them to execute commands within compute instances (VMs) or hybrid environments.”
Source: https://thehackernews.com/