Adrian McCabe, Ryan Tomcik, and Stephen Clement from Mandiant and Google Cloud published a blog post about how threat actors are weaponizing digital analytics tools.
I found it particularly interesting how tools like link shorteners, IP geolocation, and CAPTCHAs, which are typically used for legitimate purposes, can be used by threat actors to enhance their attacks.
For example, threat actors can use link shorteners to obfuscate malicious URLs, making it difficult for users to identify if a link is safe. They can also use IP geolocation tools to target users in specific geographic regions, or to avoid detection by blocking users from certain locations. Additionally, threat actors can use CAPTCHA tools to prevent automated tools from accessing their malicious infrastructure or payloads, making it more difficult for security researchers to analyze their attacks.
The blog post also provides guidance on how defenders can protect themselves from these threats. For example, defenders can use network analytics to identify suspicious patterns, such as multiple requests from a single host to a link shortener in a short period of time. They can also use endpoint security tools to detect malicious processes that are attempting to connect to IP geolocation services or bot classification tools.
Overall, the blog post provides a useful overview of how threat actors are abusing digital analytics tools, and it offers practical guidance on how defenders can protect themselves from these threats.
