May 3, 2024 at 09:57AM
Threat actors are increasingly using Microsoft Graph API for malicious purposes to evade detection, enabling communication with command-and-control (C&C) infrastructure on Microsoft cloud services. Symantec uncovered instances of nation-state-aligned hacking groups using this method, including the deployment of previously undocumented malware called BirdyClient. The popularity of Graph API among attackers is due to it being inconspicuous, cost-effective, and providing a secure source of infrastructure. Additionally, cloud administration commands could be exploited by adversaries with privileged access to execute commands on virtual machines, as revealed by Permiso.
Key takeaways from the meeting notes:
– Threat actors are increasingly utilizing Microsoft Graph API for malicious purposes in order to evade detection and facilitate communications with command-and-control infrastructure hosted on Microsoft cloud services.
– Multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for command and control, including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.
– The first known instance of Microsoft Graph API was observed in June 2021 with an activity cluster dubbed Harvester using a custom implant known as Graphon to communicate with Microsoft infrastructure.
– Symantec recently detected the use of this technique against an unnamed organization in Ukraine, involving the deployment of a previously undocumented piece of malware called BirdyClient (aka OneDriveBirdyClient).
– A DLL file named “vxdiff.dll” was designed to connect to the Microsoft Graph API and use OneDrive as a command and control server to upload and download files, with the distribution method being presently unknown.
– Attackers leverage trusted relationships to execute commands in connected compute instances or hybrid environments, often by compromising third-party external vendors or contractors with privileged access to manage cloud-based environments.
The meeting notes also mentioned an article about cloud administration commands being exploited by adversaries with privileged access.