Attackers are increasingly utilizing Microsoft Graph API, a legitimate application programming interface (API) that connects to various Microsoft cloud services, for command-and-control purposes. By leveraging Microsoft's services, hackers can easily avoid detection and blend their malicious activities with legitimate network traffic.
The Breakdown
- This trend highlights the need for organizations to be aware of potential threats originating from unsanctioned cloud accounts. Allowing unrestricted access to cloud platforms can increase the risk of malware going undetected.
- Multiple cybercrime and espionage groups have adopted this technique after its initial discovery, showcasing its effectiveness.
- Malware such as Bluelight, Backdoor.Graphon, Graphite, SiestaGraph, and Backdoor.Graphican has utilized the Graph API to establish command-and-control infrastructure.
- Organizations must take measures to secure their cloud accounts and limit access to authorized users. This is crucial to prevent both malicious attacks and inadvertent vulnerabilities.