Much like the recent Sony breach, we are seeing a lot of techniques used in targeted state sponsored attacks manifesting out in the wild. It seems like these high profile and/or government funded hacks might be laying the blueprint for copycats to use these techniques in other state attacks or even in the private sector. One of these is an emerging threat that some are referring to as “Cloud Atlas”. The attackers (at this point) are targeting government entities around the world, with the most recent attacks focused on embassies.
The method used here is a conventional one: first, snare a victim with a spearphishing attack to compromise systems with known vulnerabilities. Then, install a remote access tool that allows the attacker to control the machine, exfiltrate data, or do similarly nefarious things like erase all data on the machine and prevent it from booting back up. This opens a huge hole in your network, exposing your private information (as well as your client’s) and opening you up to future attacks.
One distinguishing factor here is that they are leveraging a connection to cloudme.com (a known cloud services provider) as their Command & Control mechanism.
Our Labs team has already pushed out correlation rules and IDS signatures for AlienVault Unified Security Management (USM) to detect this threat and alert users of:
- Usage of the cloud provider, CloudMe, inside your network (Environmental Awareness)
- Existence of the C&C communication and/or infrastructure that attackers are using
See details on the threat intelligence update here.
And, here are some additional resources to learn more about this threat: