Hackers abuse legitimate internet services to blur malicious activities

Cloud storage platforms, such as Pastebin and Google Drive, are the most abused legitimate services, followed by messaging apps, email services and social media. Telegram emerged as the most frequently exploited service.

Hooded computer hacker working on desktop PC computer

A comprehensive study encompassing over 400 malware families deployed in the past two years has unveiled a disturbing trend: at least one-quarter of these malign programs have harnessed legitimate internet services within their infrastructures. This exploitation allows hackers to blend effortlessly with legitimate traffic. Consequently, this manipulation poses complex challenges for cybersecurity defenders who safeguard networks.

Though the exploitation of legitimate web services, such as email providers, messaging platforms, social media outlets, photo-sharing sites, and file storage services, by cybercriminals and state-affiliated hackers has been an area of study for years, a fresh perspective has emerged from the analytical efforts of Recorded Future’s Insikt Group. Exclusive insights shared with CyberScoop reveal a systematic categorisation of the most prevalent forms of malware that exploit these services and the methodologies they employ. This valuable glimpse into the current landscape is derived from observations made in 2021 and 2022 within the Recorded Future Triage sandbox platform and external sources.

Telegram emerges as the most frequently exploited service, with Discord following suit. Both platforms, being widely used in legitimate and cybercriminal contexts, present challenges for mitigation due to their free access and user-friendly APIs. Additional messaging services, including Slack, have also fallen prey to exploitation, notably by hackers linked to the Russian Foreign Intelligence Service (SVR).

While conclusive patterns remain elusive due to limited systematic analyses, unmistakable signs indicate an upsurge in abuse of legitimate internet services. The rapid evolution of tactics among high-level cybercrime and state-sponsored hacking groups contributes to this escalation, with malware updates tailored to exploit various services. Moreover, a diverse array of service platforms has fallen victim to this abuse.

Why does it matter?

The researchers foresee an escalation in sophistication in terms of infrastructure and methodologies, led by advanced persistent threat (APT) groups. This upward trajectory is expected to influence less sophisticated groups over time, underscoring the gravity of this evolving threat landscape.