Attackers are using cloud services to mask attack origin and build false trust

Conditioning users to think "padlock equals security" has unintended consequences when cloud services are used to host malware droppers.

What attackers want when they hack email accounts Mark Risher, Google's director of product management for identity and account security, explains what hackers are looking for and how Google is ramping up account security.

Security experts love talking up the importance of trusted websites. Google's dominant Chrome browser--which has held about two-thirds of the browser market share all year--emphasized the importance of this with its lock icon, indicating that traffic was encrypted. It's a useful heuristic, easy for end users to understand. Lock equals security. It's skeuomorphism at its best, but it lulls users into a false sense of security.

A Wednesday report from Menlo Security finds that attackers are using cloud hosting services to avoid detection, opting to host trojans from websites like storage.googleapis.com, rather than on their own infrastructure. It is difficult to understate the convenience of this--think of all the benefits cloud computing offers the enterprise, the cost savings of building out your own servers, etc., and apply those benefits to cybercriminals. The minimized initial cost makes cloud services undeniably attractive for malicious uses.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

So, imagine a user follows a link in a phishing email to download a trojan from storage.googleapis.com. As far as the user knows, the origin is Google, or someone using Google to store data. It's got the lock icon, and it has Google in the URL, so it should be trustworthy. For IT professionals, if you have a blacklist or whitelist of acceptable domains, this inevitably must be allowed--use of Google is so entrenched that even if your organization uses another platform, enough of your vendors or clients probably use Google's ecosystem that attempting to block this would bring business to a standstill.

This is an unavoidable problem that cannot be solved programmatically. The only workable solution is educating users that the "it's from Google, so it must be secure" train of thought is not as ironclad as they expect it to be.

Oddly, it is at this junction that the Menlo Security report derails, violently, in a high-speed accident, as if a maglev train suddenly tried to merge onto rails designed for a steam train. Vinay Pidathala, director of security research at Menlo Security, makes the colorful claim in the accompanying press release that the origin-masking properties of this attack means "Botnets will decrease, and RAT malware will increase due to the ability RATs give attackers to customize and control every step of the attack. Once they get in, they can live off the fat of the land in the enterprise." He adds, "We will continue to see an increase in cross-platform malware, similar to the malware we've seen in this specific campaign... [as] attackers only need to write one file to attack both platforms."

SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)

In reality, the rise of hastily designed and minimally secured Internet of Things (IoT) devices will provide malicious actors countless targets to build botnets out of, to say nothing of traditional botnets of compromised servers and workstations. Routers are also increasingly attractive targets for malicious actors, as upward of 500,000 routers were infected earlier this year as part of the VPNFilter attack.

Additionally, the "cross-platform malware" Pidathala describes cannot even be described as low-hanging fruit. It's fallen to the ground, decomposing. The campaign analyzed in the Menlo Security report relies on VBScript and JAR files (optionally zipped) to download and execute the malicious payload, which is theorized to be related to the Houdini malware family, from 2013. How, precisely, VBScript is intended to be cross-platform is unclear.

Looking at the calendar, 2019 is just weeks away. If workstations in your organization are currently deployed with Java SE installed, strongly consider re-imaging them--assume they are already compromised, so there is no point to just uninstalling Java--with an OS image which does not have Java preinstalled. Likewise, Trend Micro offers a quick guide to disabling execution of VBScript by disabling Windows Script Host.

Update: In a statement to TechRepublic, a Google Cloud spokesperson said "We regularly remove malware on Google Cloud Storage, and our automated systems suspended the malware referred to in this report. In addition, customers can report suspected abuse through our website."

The big takeaways for tech leaders:

  • Conditioning users to think "padlock equals security" lulls users into a false sense of security, as attackers are using cloud hosting services to avoid detection.
  • If you are allowing Java SE or Windows Script Host on workstations, reconsider.

Also see

databreach.jpg
weerapatkiatdumrong, Getty Images/iStockphoto