黑客利用Microsoft Graph API进行恶意通信

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection.

威胁行为者越来越多地将Microsoft Graph API武器化，以恶意目的逃避检测。

This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

这是为了“与托管在Microsoft云服务上的命令和控制基础设施进行通信”，Broadcom旗下的Symantec Threat Hunter Team在与The Hacker News分享的一份报告中说。

Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.

自2022年1月以来，已经观察到多个与国家对齐的黑客组织使用Microsoft Graph API进行C&C。这包括被跟踪为APT28，REF2924，Red Stinger，Flea，APT29和OilRig的威胁行为者。

The first known instance of Microsoft Graph API abuse prior to its wider adoption dates back to June 2021 in connection with an activity cluster dubbed Harvester that was found using a custom implant known as Graphon that utilized the API to communicate with Microsoft infrastructure.

Symantec表示，在其更广泛采用之前，Microsoft Graph API滥用的首次已知实例可以追溯到2021年6月，与一个名为Harvester的活动集群相关，后者发现使用了一种名为Graphon的自定义植入物，该植入物利用API与Microsoft基础设施进行通信。

Symantec said it recently detected the use of the same technique against an unnamed organization in Ukraine, which involved the deployment of a previously undocumented piece of malware called BirdyClient (aka OneDriveBirdyClient).

Symantec表示，最近检测到相同技术针对乌克兰的一个未命名组织的使用，这涉及部署了一个以前未记录的恶意软件，称为BirdyClient（又名OneDriveBirdyClient）。

A DLL file with the name "vxdiff.dll," which is the same as a legitimate DLL associated with an application called Apoint ("apoint.exe"), it's designed to connect to the Microsoft Graph API and use OneDrive as a C&C server to upload and download files from it.

名为“vxdiff.dll”的DLL文件，与一个名为Apoint（“apoint.exe”）的应用程序相关的合法DLL相同，旨在连接到Microsoft Graph API，并使用OneDrive作为C&C服务器从中上传和下载文件。

The exact distribution method of the DLL file, and if it entails DLL side-loading, is presently unknown. There is also no clarity on who the threat actors are or what their ultimate goals are.

DLL文件的确切分发方法，以及它是否包含DLL侧加载，目前尚不清楚。对于威胁行为者是谁或他们的最终目标是什么也没有明确的认识。

"Attacker communications with C&C servers can often raise red flags in targeted organizations," Symantec said. "The Graph API's popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions.

“与C&C服务器的攻击者通信经常会在受攻击的组织中引起警报，”Symantec表示。“攻击者对Graph API的热衷可能是因为他们认为与已知实体（例如广泛使用的云服务）的流量不太可能引起怀疑。

"In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free."

“除了看起来不起眼外，它还是攻击者的一种廉价且安全的基础设施来源，因为像OneDrive这样的服务的基本帐户是免费的。”

The development comes as Permiso revealed how cloud administration commands could be exploited by adversaries with privileged access to execute commands on virtual machines.

Permiso披露了云管理命令如何可以被具有特权访问权的对手利用，以在虚拟机上执行命令。

"Most times, attackers leverage trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments by compromising third-party external vendors or contractors who have privileged access to manage internal cloud-based environments," the cloud security firm said.

“大多数时候，攻击者利用信任关系在连接的计算实例（VM）或混合环境中执行命令，通过妥协具有特权访问权限来管理内部基于云的环境的第三方外部供应商或承包商。”云安全公司表示。

"By compromising these external entities, attackers can gain elevated access that allows them to execute commands within compute instances (VMs) or hybrid environments."

“通过妥协这些外部实体，攻击者可以获得允许他们在计算实例（VM）或混合环境中执行命令的提升访问权限。”

参考资料

[1]https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：黑客利用Microsoft Graph API进行恶意通信