Exfiltration Over Web Service
Sub-techniques (4)
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Procedure Examples |
|
Name | Description |
---|---|
Magic Hound |
Magic Hound has used the Telegram API `sendMessage` to relay data on compromised devices.(Citation: Google Iran Threats October 2021) |
APT28 |
APT28 can exfiltrate data over Google Drive.(Citation: TrendMicro Pawn Storm Dec 2020) |
DropBook |
DropBook has used legitimate web services to exfiltrate data.(Citation: BleepingComputer Molerats Dec 2020) |
AppleSeed |
AppleSeed has exfiltrated files using web services.(Citation: KISA Operation Muzabi) |
ngrok |
ngrok has been used by threat actors to configure servers for data exfiltration.(Citation: MalwareBytes Ngrok February 2020) |
Ngrok |
Ngrok has been used by threat actors to configure servers for data exfiltration.(Citation: MalwareBytes Ngrok February 2020) |
During C0017, APT41 used Cloudflare services for data exfiltration.(Citation: Mandiant APT41) |
Mitigations |
|
Mitigation | Description |
---|---|
Restrict Web-Based Content |
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
Data Loss Prevention |
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention) |
Detection
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.
References
- Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020.
- Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023.
- Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
- Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.