Living off Trusted Sites: cyber attackers abuse legal services

12. February, 2024

“Hide in plain sight” is a well-known strategy from game theory: it describes the approach of placing something as public and accessible as possible among many offers. The goal is achieved by hiding the real intention in a multitude of uncritical things, thus deceiving the defenders.

According to security researchers, this strategy is becoming increasingly popular in cybercrime. [1]

The technical concept behind this is called “Living off Trusted Sites” and is used in various forms. The concept itself has its origins in so-called “Living-off-the-Land” (LotL) techniques, which basically aim to use existing resources and standard services (e.g. Powershell or script interpreters) for cyber-attacks.

Attackers benefit from being able to hide in a large amount of legitimate network traffic and bypass traditional security measures more easily.

Living off Trusted Sites attacks utilise widespread cloud services

Widely used services such as Github/GItlab, Google Drive, Microsoft Onedrive etc. tend to have a long history of use and are rarely monitored or restricted. This makes them ideal for Living off Trusted Sites attacks.

The methods of abuse are many and varied: from transmitting user data to hiding commands and controls, the platforms provide perfect cover for cyber-attacks. [2] In addition to these main patterns, they are also exploited in other ways for infrastructure-related purposes, such as hosting phishing sites or redirecting traffic.

Organisations’ trust in legitimate services provides the perfect cover for malicious activity. It also makes it much harder to detect and trace the attackers.

Focus on Github and many other trustworthy services

There are currently several examples of living off trusted sites attacks via the code development platform Github. The ubiquity of this service in IT environments makes it attractive for hackers to host their malware and use it as an external command interface.

If an attacker gains access to an organisation, further instructions and commands can be easily downloaded. [3] But Github is not the only service that can be used for dubious purposes.

The Living Off Trusted Sites (LOTS) project aims to provide an overview of these services. Possible scenarios are described and listed with examples [4]. Here you can find a good summary of the services that have already been misused and that may therefore be relevant to security issues.

No concrete defence measures against Living off Trusted Sites attacks yet

Recorded Future security researchers conclude that detecting such activity requires a mix of strategies. As the attackers are very individual and creative in their approach, there is currently no universal solution against these attacks. The first step is to raise awareness of this type of threat. On the one hand, users have a duty to apply the recommended security measures of the services in order to avoid unknowingly falling victim to such abuse. But the platforms themselves will also have to develop further measures to protect against abuse in the future.

Conclusion: Although there are no concrete countermeasures for the current Living off Trusted Sites attacks, some basic recommendations can be made: If you are not actively using the affected platforms, it may make sense to restrict them via URL/web filters or to log access for the first time in order to better detect future deviations.

Inform users of the potential risks and refer them to the platform’s recommendations on how to protect themselves as much as possible.

This might also interst you:

Passkeys as a secure alternative to passwords

Recognise, understand and defend against info stealers

Secure APIs against unauthorised access and manipulation

Sources:

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Threat Intelligence
SQL Injection

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download