Google has a growing problem on their hands, as malicious actors continue to use Google Cloud Platform to obfuscate the origin of attacks. A threat group is using Google App Engine to deliver malware using an open director provided by the service, according to a Thursday report from Netskope’s Threat Research Labs.
In essence, the attack works as follows:
Fraudulent emails are disseminated in a phishing attack, purporting to originate from one of nearly two dozen banks across Asia, Europe, and Africa, requesting that the user download a linked PDF to perform a reconciliation. This PDF link is filtered through Google App Engine, which contains a page with an unvalidated redirect, redirecting users to a different page after logging the user out of the service.
https://appengine.google.com/_ah/logout?continue=[... arbitrary url]
This is used to redirect users to a maliciously crafted PDF, which then attempts to download a malware payload from a second website when opened in Adobe Reader. The malware payload in this case is a Microsoft Word document containing obfuscated malware code.
SEE: Cross-site scripting attacks: A guide for developers and users (Tech Pro Research)
Everything about this is, frankly, idiotic. Google should not be operating an open redirector, because this creates an avenue for phishing. Oddly, Netskope references this guidance from Google’s Bughunter University:
Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.
Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.
Those technologies to detect phishing do not work when used outside of Google products, particularly in the event a phishing target uses a desktop email client.
It remains unreasonable to expect that users won’t download suspicious-looking attachments, despite decades of guidance to the contrary. One would hope–and likely face crushing disappointment–that a user would recognize that a PDF trying to download a Word document is abnormal, and that maybe they should not open the document.
Netskope’s recommendations on this mitigating this attack range from boilerplate to insulting, considering that the firm advises users to “hover your mouse over all hyperlinks to confirm them before clicking on the link,” directly contradicting the Google guidance they referenced in their report. Netskope also recommends users “always check the domain of the link,” and “keep systems and antivirus updated with the latest releases and patches.”
SEE: Attackers are using cloud services to mask attack origin and build false trust (TechRepublic)
The report relies on conclusions built on top of spurious connections, and fundamental misunderstandings of research reports of other companies. Oddly, the report attributes the attack the “infamous threat actor group named ‘Cobalt Strike’,” citing a report from Cisco Talos in which the group itself is called “Cobalt,” using an off-the-shelf penetration testing tool called “Cobalt Strike.” Netskope concedes that the leader of the group was arrested by Europol in March 2018, though said it expects the group to continue attacks.
Kaspersky Lab identified the threat actor as “Carbanak” in February 2015.
Update: A Google spokesperson told TechRepublic “As of January 18, 2019, the issue described in this report has been fixed. Protecting our customers from phishing attacks is a top priority for Google. We proactively warn users whenever they are being redirected to a URL outside of a Google domain. Additionally, if a user attempts to proceed to an untrusted site, we warn them of known malicious URLs through Google Safe Browsing filters.”
The big takeaways for tech leaders:
- Malicious actors are using an unverified redirect operated by Google in phishing and malware campaigns.
- Tooltips are not a reliable indicator of where a link actually leads to.