"What happens when attackers start taking advantage of whitelisted APIs as a form of obfuscated command and control? Companies both large and small are moving workloads to the cloud and are very concerned with how to secure their resources which actually live in AWS, GCP, and Azure. However, they don’t address how enabling this access changes their internal attack surface and weakens their defenses. In this talk, we demonstrate that attackers no longer have any reason to rely on conventional CNC, being able to outsource their costs and infrastructure management to the likes of Slack, Github, Pastebin, Dropbox, Google, and social media sites. Using these sorts of techniques, URL blacklisting becomes obsolete, IDS becomes less effective, and attackers no longer have to waste their time writing domain generation algorithms. Specifically, I will demo a proof-of-concept malware which uses multiple SaaS services, social networks, and more conventional “cloud infrastructure” (S3) that would be extremely difficult to mitigate generically with today’s IPS solutions, and we discuss how the same techniques can be used by red teams and attackers to quietly maintain persistence and exfiltrate data."