Subj : Microsoft Graph is becoming a popular target for hackers To : All From : TechnologyDaily Date : Mon May 06 2024 20:45:05 Microsoft Graph is becoming a popular target for hackers Date: Mon, 06 May 2024 19:38:39 +0000 Description: Multiple groups used Microsoft Graph API to hide malware communications in plain sight over the past two years. FULL STORY ====================================================================== Multiple hacking collectives are been actively using Microsoft Graph API to hide their communications with command & control (C2) infrastructure hosted on Microsoft cloud services, cybersecurity researchers from Symantec Threat Hunter Team have revealed. The researchers claim that for two and a half years now, groups such as APT28, REF2924, Red Stinger, Flea, APT29, and Oilrig, have been using this technique to remain out of sight. Among the targets is an unnamed organization from Ukraine, which was infected by a previously unknown malware variant dubbed BirdyClient. The method of using Microsoft Graph APIs to hide malware communications was first seen in June 2021, but only picked up speed a year later. Trusted and cheap Symantecs researchers believe hacking groups are opting for Microsoft cloud services to host malware, due to the companys good standing. This kind of traffic isnt going to raise any alarms, they argue: "Attacker communications with C&C servers can often raise red flags in targeted organizations," Symantec said. "The Graph API's popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions. Theres also the question of costs: "In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free." APT28 is an infamous Russian state-sponsored threat actor that's been observed abusing Microsoft solutions in the past. In mid-March this year, a report from IBMs X-Force claimed the group was abusing the search-ms URI protocol handler to deploy malware to phishing victims. While its victims may vary from campaign to campaign, it always aligns with the interests of the Russian federation. Hence, the victims are often located in Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, the U.S., and others. Via The Hacker News More from TechRadar Pro Hackers have found a new way into your Microsoft 365 account Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/microsoft-graph-is-becoming-a-popular-t arget-for-hackers --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .