Cyberattacks: these services used to steal your data

Share:

In double extortion ransomware cyberattacks , cybercriminals not only encrypt their victim’s data, but they steal it beforehand. Enough to threaten to sell or disclose them if the requested ransom is not paid on time. Some cybercriminals have even abandoned encryption and settled for blackmailing the disclosure, or sale, of their victims’ data.

But data exfiltration can also occur during other phases of the attack, for example to “exit” from the victim’s information system authentication data harvested from the memory of compromised Windows systems, with a tool such as Mimikatz .

Different exfiltration supports

The Miter ATT&CK model identifies 9 main data exfiltration techniques used by attackers. Cyentia highlights 5 main ones: exfiltration via a web service, via a command and control (C2) communication channel, transfer to a cloud services account, automated exfiltration, and transfer in limited size blocks. .

The tools used can vary, from a simple FTP client to a Trojan allowing remote access (RAT, Remote Access Troyan ), passing by data replication tools like Rclone. Some franchises have even developed their own tools, like ExMatter (BlackMatter), ExByte (BlackByte), or even StealBit (LockBit).

The tool involved may vary depending on the destination. But some are ultimately well known for being regularly used by cybercriminals. Even though these are legitimate services.

For different destinations

In the fall of 2020, following a negotiation between the REvil group and its victim, attacked with the Sodinokibi ransomware, we discovered that the data stolen from the target’s information system had been stored at the New Zealander Mega.

In the fall of 2021, Louis Château, an analyst at Advens CERT, noted the same type of tactic: the exfiltration of data on a cloud storage platform, all that is legitimate. Laurent Besset, Cyberdefense Director of I-Tracing, also observed it, as he had reported to us, during the preparation of the bulletin of our  ransomware situation bulletin for the month of September 2021 .

These cases are not isolated. SecurityScorecard  pointed  to the mining of data to Mega in the attack led by a REvil franchise shill against JBS.

Palo Alto Networks teams had, at the end of 2020, documented this practice among certain LockBit affiliates. We have also observed Conti negotiations where, after payment, the attackers provide access details to the data they have stolen and stored on Mega. But this service is not the only one to be hijacked by cybercriminals.

In June 2022, Picus Security mentioned the use of Google Drive, OneDrive and even Dropbox.

What to monitor, or even block?

Domain names corresponding to services frequently used by cybercriminals during attacks are well documented. Several have been regularly mentioned, notably in DFIR Reports or by Kasperky in a dense report on the techniques, tactics and processes of cybercriminals.

Here are a few outbound traffic to which should be monitored, if not blocked, in the absence of known and legitimate internal use:

  • anonfiles[.]com
  • exploit[.]in
  • file[.]io
  • mega[.]io, mega.co[.]nz
  • notepad[.]pw, notepad[.]cc
  • privnote[.]com
  • sendspace[.]com
  • temp[.]sh
  • ufile[.]io

For some, like file[.]io , for example, the storage is ephemeral: the uploaded file is deleted after it is downloaded. Impossible, therefore, after the discovery of the transfer in the traces of network activity, to recover the file and to know what it contained, once the attacker consulted it.

Charles Blanc-Rolin, digital health security project manager, maintains a series of rules, the PAW Patrules , for the Suricata intrusion detection system ( IDS ) , which cover many techniques, tactics and procedures employed in the context of cyberattacks that may lead to the deployment of ransomware.

 

(c) Valéry Rieß-Marchive

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
10:10 am, Feb 11, 2025
weather icon 3°C
L: 3° | H: 4°
haze
Humidity: 92 %
Pressure: 1018 mb
Wind: 5 mph NW
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 5 km
Sunrise: 7:21 am
Sunset: 5:07 pm
DailyHourly
Daily ForecastHourly Forecast
Today 9:00 pm
weather icon
3° | 4°°C 0 mm 0% 4 mph 94 % 1018 mb 0 mm/h
Tomorrow 9:00 pm
weather icon
2° | 7°°C 0 mm 0% 5 mph 96 % 1021 mb 0 mm/h
Thu Feb 13 9:00 pm
weather icon
3° | 7°°C 0 mm 0% 9 mph 77 % 1025 mb 0 mm/h
Fri Feb 14 9:00 pm
weather icon
2° | 6°°C 0 mm 0% 8 mph 78 % 1026 mb 0 mm/h
Sat Feb 15 9:00 pm
weather icon
1° | 5°°C 0 mm 0% 9 mph 75 % 1026 mb 0 mm/h
Today 12:00 pm
weather icon
3° | 3°°C 0 mm 0% 4 mph 94 % 1018 mb 0 mm/h
Today 3:00 pm
weather icon
4° | 4°°C 0 mm 0% 4 mph 88 % 1017 mb 0 mm/h
Today 6:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 86 % 1018 mb 0 mm/h
Today 9:00 pm
weather icon
4° | 4°°C 0 mm 0% 3 mph 84 % 1018 mb 0 mm/h
Tomorrow 12:00 am
weather icon
4° | 4°°C 0 mm 0% 2 mph 88 % 1019 mb 0 mm/h
Tomorrow 3:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 92 % 1018 mb 0 mm/h
Tomorrow 6:00 am
weather icon
2° | 2°°C 0 mm 0% 3 mph 96 % 1018 mb 0 mm/h
Tomorrow 9:00 am
weather icon
3° | 3°°C 0 mm 0% 3 mph 91 % 1019 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€95,123.16
0.31%
Ethereum(ETH)
€2,625.00
2.06%
XRP(XRP)
€2.42
2.25%
Tether(USDT)
€0.97
0.00%
Solana(SOL)
€196.92
-0.99%
USDC(USDC)
€0.97
0.01%
Dogecoin(DOGE)
€0.257707
5.57%
Shiba Inu(SHIB)
€0.000016
1.60%
Pepe(PEPE)
€0.000010
7.84%
Scroll to Top