We’re back to highlight more ATT&CK techniques making headlines. This week we look at APT41’s rise from the ashes — and, specifically, how they infiltrate and exfiltrate against a global array of targets.
Comments
Log in with your Bluesky account to leave a comment
So, APT41 is in a network, they’ve accessed sensitive data, and now they want to exfiltrate. How? Why not just use what the rest of us already use?: APT41 copies data and then smuggles it out via Microsoft OneDrive.
This maps right to T1567.002 https://attack.mitre.org/techniques/T1567/002/ Taking this route is advantageous for numerous reasons including that the ready-built C2 often looks familiar compared to a threat actor’s primary command and control infrastructure.
Threat actors gain cover by using popular services like OneDrive especially if the network is already communicating with the service and if security tools already permit traffic going there. This of course goes way beyond OneDrive: Check out https://attack.mitre.org/techniques/T1567/
Comments