Dropbox and Google Drive are extremely handy when you want to store files that need to be available across multiple devices.
The cloud-based online storage services are also suitable for sharing files with friends. However, not every link to online storage is a good one, as more and more criminals are abusing popular cloud file sharing services to spread links to malware.
The attackers use phishing techniques to trick victims into downloading malicious files. Usually, the users then download ZIP files or ISOs that contain malware.
A recent report by Unit42 security researchers shows how dangerous such links can be. They report that members of the hacker group Cloaked Ursa (APT29) used such links to attack the embassies in Portugal and Brazil in May and June 2022.
The attackers used a specially prepared PDF that was supposed to lead to proposed dates with the embassies. However, clicking on the link triggered a series of malicious actions, such as grabbing user information and downloading malware from Google Drive or Dropbox.
Moreover, the criminals used the online storage to store the stolen information there. Cloaked Ursa is attributed to the Russian intelligence service SVR and attracted attention in the past — for example, with the SolarWinds hack.
Why Online Storage Services Are Enticing to Hacker Groups
However, less well-organized hacker groups also use such tricks to attack private individuals.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, explains that trusted cloud storage platforms are highly enticing to cyber threat actors, with living-off-the-land-based techniques — i.e., attacks that use pre-existing, native tools present on a victim's system — increasingly popular, as their use obscures activity and assists in evading detection.
"Cloud storage platforms are commonplace across corporate networks, with any material shared through Dropbox or Google Drive unlikely to raise undue suspicion," he said. "Abuse of cloud storage solutions is extremely commonplace, including by state-backed and cybercriminal threat groups."
How to Minimize Risks to Online Storage Services
Minimizing the risk of cloud storage services largely comes from understanding what services are in use across a network and establishing processes for safe use; this can quantify the risk associated with their use, Morgan said.
He recommends administrators document which processes should be permitted and which should be banned, and establish what detection measures are in place to identify any misuse.
"Authentication controls, like the use of VPN for establishing secure encrypted tunnels between cloud and users, can also greatly assist in minimizing the chances of cloud storage services being abused by threat actors," he added.
Andrew Hay, COO at LARES Consulting, an information security consulting firm, explains the two biggest drivers for adoption of cloud storage are the cost and general accessibility of online storage services.
"Registering a new Google account and sharing files costs absolutely nothing," he said. "Also, many organizations simply allow access to cloud-hosted storage providers so as not to disrupt their employee's work."
To better protect themselves, organizations should determine an approved list of cloud-hosted storage providers and disallow access to anything not on the approved list.
Hay said it would also be a good idea to provide an enterprise file-sharing and storage platform and anoint it as the approved standard means of sharing files.
The threat of attacks through online storage services "ebbs and flows" like many threat vectors he said.
"We often see threat actors shift away from what's not working toward something that used to work — and might work again," Hay said.
Online storage services are an enticing vector for cybercriminals because anything that is trusted and in-use in a victim organization can be used, according to John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company.
"Criminals live and die on 'click rate,'" he explained. "Organizations in the U.S. wouldn't recognize or view as normal QQ. However, if the user uses Google Drive, they are more susceptible to attacks involving or referencing it."
Behavioral analytics is key to detecting account takeovers, which detect part of this, while strong anti-phishing protection in e-mail services also will help — instead of relying on base Office 365, for instance, he said.
Training Users Is Key to Stopping Attacks
Lastly, Bambenek said users need to be trained to be attentive so they catch and report these kinds of attempts to the security operations center.
"These attacks are increasing along with the increased reliability we have on these services," he explained. "It's made more lucrative because several aspects of cybersecurity, like network security or IDS, are unavailable to protect cloud resources. Enterprise account takeover means much more now that everyone logs in remotely and accesses their cloud resources."
Bambenek predicts the attacks will continue to evolve as organizational IT stacks evolve, pointing out that 10 years ago organizations could block cloud storage as a data loss vector, but now they are trusted resources.
"Fundamentally, everything is open and visible to the attackers, who literally attend the same trade shows we do to see how the IT landscape is changing," he said.