Over the last few years most malicious acters have been conducting living off the lad attacks. These utilize the tools already present on the victims’ computers to carry out the attack. In these attacks there is little to no traditional hacking. Attackers simply use vulnerabilities, related security policies, PowerShell, and even old software to carry out an attack. But now that enterprises are increasingly dependent on cloud services, living off the land has evolved into living off the cloud.

Attackers are increasingly abusing trusted SaaS platforms, cloud infrastructure, and identity systems to blend malicious activity into legitimate enterprise traffic. Adversaries are pushing command and control (C2) through high-reputation services, including OpenAI and AWS, to blend in with normal business traffic and evade blocklists.

The shift from “living off the land” to “living off the cloud” reflects how attackers have adapted to the enterprise’s migration of IT infrastructure to hybrid and cloud environments such as AWS, Azure, and Google Cloud.

One might ask, how is this possible? The cloud is secure, correct? That answer to that is that attackers are now leverage native cloud administrative tools, APIs, identity systems, and management consoles to operate using the legitimate functionality of the cloud to carry out an attack. Attackers who obtain valid credentials, tokens or API keys can enumerate resources, extract data, escalate privileges, and maintain persistence through routine-looking administrative calls.

These techniques bypass traditional defenses that rely heavily on domain reputation and static blocklists. It is now being seen that running attack infrastructure from the cloud also makes attacks easier to mount.

This has been proven by that latest attack by the Iranian Handala Team, which many experts say has ties to Iran’s Intelligence Ministry. Most of this group’s work has been related to espionage, but they have pivoted to attacks on US based companies.

Their latest target was Stryker, a medical tech company, which resulted in more than 200,000 of Stryker’s computers, servers, and mobile devices being remotely wiped. This led to severe work and communication stoppage that the company is still recovering from.

The Handala Team gained access to Stryker’s InTune Management console either by stollen credentials, API keys or both. Then they utilized the built-in features of Microsoft InTune to wipe all devices associated with the company’s tenant account.

The ability to wipe devices remotely is common in management platforms. This is often used to wipe a device if it’s lost/stolen etc. In this case the attackers utilized this cloud app feature to disrupt business for the entire enterprise.

Remember, this cloud is just like any other system. It must be secured, backed up, and monitored. Since it is a very special environment, great care must be taken to make sure that this is correctly accomplished. Recent events are proof that most enterprises still do not take security seriously.