November 6, 2023 at 04:28PM
Google is warning about the increasing use of native cloud tools by attackers to hide their malicious activities. They highlighted a proof-of-concept exploit called “Google Calendar RAT,” which allows hackers to repurpose Google Calendar events for command-and-control purposes. Although Google has fixed this particular issue, they emphasize that every cloud service could be used by attackers to abuse customers.
During the meeting, it was discussed that Google has warned the cybersecurity community about attackers increasingly using native cloud tools to hide their malicious activities. Google highlighted a proof-of-concept exploit called “Google Calendar RAT,” which allows hackers to repurpose Google Calendar events for command-and-control purposes. Although it has not been observed being deployed in the wild, Google has seen multiple users sharing it on cybercriminal forums, indicating some level of interest. Google has implemented a fix for this tool, but there may be similar malware on the horizon. The Google Calendar RAT significantly reduces the infrastructure an attacker would need for command-and-control purposes. To use it, an attacker would only need to set up a Google service account, obtain its credentials.json file, create a new Google calendar, share it with the service account, and edit the script accordingly. The RAT operates entirely over legitimate cloud infrastructure, making detection and prevention more challenging. It was emphasized that anomaly-based monitoring is crucial for detecting such threats and organizations should focus on looking for unusual activity in their systems. The meeting concluded with the expectation of seeing new ways of using cloud services for illegitimate purposes in the near future.