Microsoft Graph is becoming a popular target for hackers
Multiple groups have exploited Microsoft Graph API
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Multiple hacking collectives are been actively usingMicrosoftGraph API to hide their communications with command & control (C2) infrastructure hosted on Microsoft cloud services, cybersecurity researchers from Symantec Threat Hunter Team have revealed.
The researchers claim that for two and a half years now, groups such as APT28, REF2924, Red Stinger, Flea, APT29, and Oilrig, have been using this technique to remain out of sight. Among the targets is an unnamed organization from Ukraine, which was infected by a previously unknownmalwarevariant dubbed BirdyClient.
The method of using Microsoft Graph APIs to hide malware communications was first seen in June 2021, but only picked up speed a year later.
Trusted and cheap
Symantec’s researchers believe hacking groups are opting for Microsoft cloud services to host malware, due to the company’s good standing. This kind of traffic isn’t going to raise any alarms, they argue:
“Attacker communications with C&C servers can often raise red flags in targeted organizations,” Symantec said. “The Graph API’s popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions.”
There’s also the question of costs: “In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free.”
APT28 is an infamous Russian state-sponsored threat actor that’s been observed abusing Microsoft solutions in the past. In mid-March this year, a report from IBM’s X-Force claimed the group was abusing the “search-ms” URI protocol handler to deploy malware to phishing victims. While its victims may vary from campaign to campaign, it always aligns with the interests of the Russian federation. Hence, the victims are often located in Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, the U.S., and others.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
ViaThe Hacker News
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Amazon is fixing the Kindle Colorsoft ‘yellow band’ issue – and we might know what went wrong
