Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Веб-сервисы
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Веб-сервисы
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Acquire Infrastructure:  Веб-сервисы

ID Название
.001 Домены
.002 DNS-сервер
.003 Виртуальный выделенный сервер
.004 Сервер
.005 Ботнет
.006 Веб-сервисы
.007 Облачная инфраструктура

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

ID: T1583.006
Относится к технике:  T1583
Тактика(-и): Resource Development
Платформы: PRE
Источники данных: Internet Scan: Response Content
Версия: 1.1
Дата создания: 01 Oct 2020
Последнее изменение: 17 Oct 2021

Примеры процедур
Название Описание
Earth Lusca

Earth Lusca has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)
HAFNIUM

HAFNIUM has acquired web services for use in C2 and exfiltration.(Citation: Microsoft HAFNIUM March 2020)
Turla

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.(Citation: ESET Crutch December 2020)
ZIRCONIUM

ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)
APT17

APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.(Citation: FireEye APT17)
MuddyWater

MuddyWater has used file sharing services including OneHub to distribute tools.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)
APT28

APT28 has used newly-created Blogspot pages for credential harvesting operations.(Citation: Google TAG Ukraine Threat Landscape March 2022)
APT29

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.(Citation: FireEye APT29)(Citation: MSTIC NOBELIUM May 2021)

For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.(Citation: McAfee Sharpshooter December 2018)
Lazarus Group

Lazarus Group has hosted malicious downloads on Github and Dropbox.(Citation: CISA AppleJeus Feb 2021)(Citation: ClearSky Lazarus Aug 2020)
Confucius

Confucius has obtained cloud storage service accounts to host stolen data.(Citation: TrendMicro Confucius APT Feb 2018)
IndigoZebra

IndigoZebra created Dropbox accounts for their operations.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)
POLONIUM

POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.(Citation: Microsoft POLONIUM June 2022)
APT32

APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020)
Kimsuky

Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021)
Magic Hound

Magic Hound has acquired Amazon S3 buckets to use in C2.(Citation: Check Point APT35 CharmPower January 2022)
LazyScripter

LazyScripter has established GitHub accounts to host its toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

Контрмеры
Контрмера Описание
Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Обнаружение

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

Ссылки

  1. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
  2. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  3. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  4. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  5. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  6. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  7. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  8. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  9. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  10. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  11. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  12. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  13. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  14. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  15. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  16. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  17. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  18. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  19. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  20. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
  21. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  22. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  23. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.