IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

‘Living Off the Cloud’: Hackers Modernize an Old-School Tactic

Attackers who penetrate an organization can evade detection by using the victims’ own cloud-based services to conduct their data exfiltration and malware downloads. This is the latest evolution of living off the land attacks.

Digital illustration of a cloud filled with lines of code and one arrow pointing into it and one arrow pointing out of it.
Shutterstock/Thitichaya Yajampa
An old threat is new again — or never really went away.

As governments and other players increasingly turn to the cloud, malicious actors are following, adding “living off the cloud” attacks back into their repertoires.

Living off the land ploys see hackers use phishing or other methods to gain access to a victims’ networks, then use the victims’ own tools and services for malicious purposes. These attacks are particularly subtle and date back to at least 2013, according to cybersecurity firm Darktrace.

A newer subset of this is living off the cloud, which uses victims’ cloud services.

According to cybersecurity firm LogRhythm, the attack’s name comes from the physical world lifestyle of living off the land, in which practitioners rely on the food and other resources they harvest from surrounding nature. The cybersecurity equivalent is hackers relying on tools found in the victim’s environment.

For example, bad actors could use the Windows Certutil tool — designed to let users download files from the Internet — to download malware, according to Johannes Ullrich, dean of research at the SANS Technology Institute. Hackers can fly under the radar by using the tool the way it was designed to function.

“To the defender, it looks just like a normal tool that’s valid, that’s good, being used to do things it’s supposed to do,” Ullrich told Government Technology.

Both criminally motivated and nation state perpetrators use living off the land techniques, Ullrich said, and it’s been deployed both for indiscriminate attacks and those targeting specific victims. Hackers often used the method for espionage or to extort money by threatening to leak data.

WHY HACKERS DO IT


Victims may find it easier to discover malicious code deployed on their networks than detect when a legitimate tool is used for harmful purposes.

Ullrich gave another example during an RSA Conference panel on new attack techniques: A malicious party might direct victims’ backup solutions to also make copies to a storage destination owned by the hacker.

Attackers also might use cloud services to host malware, and send phishing links from web domains that users trust.

For example, cybersecurity firm Palo Alto Networks announced this week that the criminal group behind the SolarWinds attack has been hosting malware on popular cloud storage services like Google Drive and Dropbox. The hackers then send phishing emails with URLs, which will download malware from the cloud hosting and onto victims’ systems if clicked.

“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” Palo Alto wrote.

Victims also can’t simply block domains or infrastructure from cloud services they still need for conducting business, said Katie Nickels, cybersecurity firm Red Canary’s director of intelligence, during the RSA panel.

CHEAP AND SUBTLE?


Perpetrators may also find living off the land attacks to be easier and more cost-effective, states LogRhythm. Hackers can skip building their own tools if they just use victims’. And using software their targets expect to see spares bad actors from needing to design programs capable of avoiding detection.

“Attackers that use already existing tooling avoid the need to build, test, and QA tools. They don’t have to worry about compatibility, dependencies, and so forth,” states LogRhythm.

The approach also may give attackers some camouflage if they are detected. Cybersecurity firm CrowdStrike states that, “If everyone is using similar tools, it’s more difficult to distinguish one group from another,” making attacks difficult to attribute.

HOW WELL CAN WE CATCH IT?


Defenders can monitor for unusual patterns of behavior to detect living off the land attacks, and Darktrace recommends using AI-powered tools to identify “subtle deviations” in activities. Ullrich said organizations would particularly want to examine patterns in data volume and files being sent to cloud services.

“But again, since pretty much anything is legitimately now using these cloud services, it can be very difficult to impossible to really distinguish the malicious use from the normal use of all these tools,” he said. Attackers can also learn to keep their data exfiltration below the thresholds that would trigger warnings.

Another complication: hackers may linger on systems long after compromising them, all the while quietly collecting victims’ data. Entities trying to establish what normal behavior looks like on their systems — and thus, what, in comparison, is abnormal — must find a time before the compromise occurred. But they may find it challenging to determine how far back they need to look.

According to CrowdStrike “many sophisticated adversaries spend months and years in their victims’ networks without being detected.” Organizations thus must analyze past activities to identify if and when infiltrations may have occurred.

ENDPOINT DETECTION AND LIMITING OPPORTUNITIES


Endpoint monitoring can help detect misbehavior after something has gone wrong, but trends like the shift to remote work have caused the number of endpoints to balloon, and organizations often rely on their cloud providers for help seeing what’s happening. Those insights often aren’t detailed enough to easily distinguish legitimate and nefarious activity, Ullrich said.

“Now, often, you rely on whatever monitoring these cloud providers built in. But that doesn’t exist at the granularity of such where you could get a list of all your users, what files they uploaded and downloaded,” Ullrich said.

Organizations may reduce their exposure to living off the cloud attacks by limiting how many cloud services they use — after all, malicious actors can’t hack what isn’t there. But of course, there’s only so far governments can trim down on cloud use if they still want to serve their residents well.

Local governments offer a variety of digital services, which necessitates a level of cloud use, Ullrich acknowledged. And small governments that lack in-house IT staff often fill their technology needs by purchasing software-as-a-service (SaaS) solutions, he added.

“It’s hard. It’s one problem that isn’t quite solved yet,” Ullrich said. “Commercial as well as government organizations are struggling with how much cloud to use, where to use it, and then also how to monitor that activity.”
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.