Blog Layout
The Cybersecurity Lair™ • May 3, 2024

Latest News | Unveiling the Threat: Hackers Exploit Microsoft Cloud Services for C&C Communications

Navigating the Cloud: Understanding the Risks of Graph API Misuse in Cyber Attacks

An emerging cybersecurity threat involves hackers exploiting Microsoft's Graph API to establish command-and-control (C&C) communications through Microsoft cloud services. The malware, named BirdyClient or OneDriveBirdyClient, was discovered by security analysts at Symantec. It targeted an organisation in Ukraine, using Microsoft OneDrive for C&C by connecting to the Graph API for file upload and download. This malware, along with others like Bluelight, Backdoor.Graphon, and Graphite, highlights a growing trend of threat actors leveraging trusted cloud services for malicious purposes, making detection challenging. 


Key Events:


  • Discovery of BirdyClient or OneDriveBirdyClient malware by Symantec.
  • Malware targeting an organisation in Ukraine, utilising Microsoft OneDrive for C&C through the Graph API.
  • Trend of threat actors exploiting Microsoft's Graph API for C&C communications.
  • Examples of other malware families like Bluelight, Backdoor.Graphon, and Graphite using Graph API for C&C purposes.
  • Usage of Graph API and OneDrive by SiestaGraph targeting an ASEAN country.
  • Utilisation of Backdoor.Graphican by the Flea (APT15) group in campaigns against foreign ministries.
  • Emergence of GraphStrike as a penetration testing toolkit, demonstrating attackers' abuse of legitimate cloud integration capabilities.
  • Concerns about the increasing misuse of authenticated API access channels for C&C activities.

Analysis of the Attack:


The attack involves the utilisation of Microsoft's Graph API to establish C&C communications, primarily through Microsoft OneDrive. Malware like BirdyClient connects to the Graph API to upload and download files, allowing threat actors to control compromised systems remotely. By masquerading as legitimate software and leveraging trusted cloud services, attackers can evade detection and blend malicious activities with normal cloud traffic. This technique poses challenges for traditional detection methods as it utilises authorized API access channels for malicious purposes.


Lessons Learned:


  1. Awareness of the evolving threat landscape: Security professionals need to stay updated on emerging threats leveraging legitimate services like Microsoft's Graph API for malicious activities.
  2. Enhanced detection and prevention mechanisms: Traditional security measures may not be sufficient to detect C&C communications through trusted cloud services. Innovative approaches are required to identify and mitigate such threats effectively.
  3. Importance of proactive defence strategies: Organisations should implement proactive measures such as threat intelligence sharing, regular security assessments, and employee training to mitigate the risk posed by sophisticated cyber threats.


Source and further reading.


Dutta, T. S., & Dutta, T. S. (2024, May 3). Hackers Exploit Microsoft Graph API For C&C Communications. GBHackers on Security | #1 Globally Trusted Cyber Security News Platform. https://gbhackers.com/hackers-exploit-microsoft-graph-api/amp/


The Hacker News. (n.d.-c). Hackers increasingly abusing Microsoft Graph API for stealthy malware communications. https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.html

Share by: