Michael P. Kassner interviews a digital forensic scientist who uses Dropbox to compromise targeted networks -- something the bad guys probably figured out as well.
I use Dropbox, and so do some 50 million other people. That's remarkable, considering Dropbox suffered through a few embarrassing speed bumps related to user file security. It seems it's going to take more than those kind of oops for us to consider giving up the convenience afforded by Dropbox.
A digital addiction like that begs the question: what kind of "issue" would it take to convince someone (me for instance) to stop using Dropbox?
When I asked that question at a security seminar, little did I realize a digital investigator slash pen tester would provide the perfect speed bump that will have all 50 million of us asking ourselves, "Is using Dropbox worth the risk?"
I was perusing the seminar briefing website from this year's Black Hat EU, fishing for potential article topics, when I came across a briefing note titled "DropSmack: How cloud synchronization services render your corporate firewall worthless." Feeling a nibble, I read the briefing. Right away, I knew I hooked a keeper:
"The contributions of this presentation are threefold. First, we show how cloud-based synchronization solutions in general, and Dropbox in particular, can be used as a vector for delivering malware to an internal network."
The other two contributions were as eye-opening:
- Show how the Dropbox synchronization service can be used as a Command and Control (C2) channel.
- Demonstrate how functioning malware is able to use Dropbox to smuggle out data from exploited remote computers.
I'd like to introduce Mr. Jacob Williams (@MalwareJake). Jake is a highly skilled pen tester and digital forensic scientist employed by CSR Group. He's the guy who gave the Black Hat presentation, and he's the one who is going to cause significant angst among Dropbox users as well as corporate-security types.
The events as they unfolded
As the story goes, Jake was hired to perform a "no holds barred" penetration test on a corporate network. Nothing Jake tried worked, even social engineering the employees. Then Jake found a crack -- the company CIO. He obtained a personal email address and a way to spear-phish the CIO.
He just had to wait until the CIO used his work notebook away from the corporation's highly secure network. In less time than one would expect (scary actually), Jake owned the notebook.
While snooping around on the CIO's computer, Jake couldn't believe his luck; he found corporate documents quietly sitting in a Dropbox synchronization folder. Jake told me, "I knew I could use Dropbox as a conduit into the inner corporate sanctuary. What I didn't know was how."
That's because Dropbox databases are encrypted; and reverse engineering the Dropbox software in order to read the databases would take longer than Jake had. Not to be denied, Jake and his cohorts eventually discovered a way in. It seems massive quantities of beer played a vital role (from Jake's Black Hat presentation).
By design, Dropbox would allow Jake to send files to all the devices associated with the CIO's Dropbox account, but that's not enough. Jake needed a way to infiltrate further into the company network, install malware, and find specific documents as part of the pen-test requirements.
Figuring out how to accomplish all that was Jake's epiphany, and like any good pen tester wanting to get unstuck, Jake created a tool called DropSmack to perform the above steps.
Next step was getting it loaded. Jake realized all he had to do was get the CIO to open a file infected with DropSmack in his Dropbox folder, and it would install. Here are the steps:
- Embed DropSmack in a file already synchronized by Dropbox.
- Add some macro goodness.
- Load file back on the compromised computer.
- File automatically synchronizes.
- Wait for the victim to open the file on the internal network.
I thought I had a gotcha; I asked Jake, "What about Windows 7 and needing admin rights to get by the UAC?" Jake told me something I should have known, but didn't, "Dropbox does not need admin rights to load, because it installs into the user's profile directory. So we did the same thing with DropSmack -- nice and simple." Something else I didn't understand: "Now that DropSmack is installed, how do you tell it what to do?" Jake explained:
DropSmack is designed to monitor the Dropbox synchronization folder. We create a file using a .doc extension, put a legitimate file header on the first line, and add the desired commands. Our files won't open in Word (they say the file is corrupted); but that's good, it makes the file less prone to investigation by a snoopy user.
We then place the doctored file in the owned computer's Dropbox folder. Dropbox does it magic synchronizing all associated Dropbox folders. DropSmack detects the file meant for it, and executes the command.
I then asked Jake for a few examples of what DropSmack was capable of doing:
Once you infect a remote machine with DropSmack, it can be used to perform arbitrary actions on the machine. This includes pivoting to other machines in the remote network (such as a file server). Using the PUT command, you can upload any new tools you may need to the remote machine. The EXEC command allows you to execute those tools. The GET command allows you to retrieve output from any commands that was written to an output file.
To get remote shares mounted to a machine, you'd just upload a batch script containing the "net use" command that outputs to an output file, EXEC the script, and retrieve the output file. I demonstrated this live at the Black Hat EU conference, capturing a listing of the user's home directory, IP configurations, and the Program Files directory (to see what software was installed on the machine).
Jake beat me to the punch on my next question. I wondered if the notifications Dropbox created would seem odd to the user.
So, for now, Jake makes sure the name of the command file relates to the files already in Dropbox.
Next, Jake and I discussed how to foil DropSmack. Jake didn't have much regard for normal antimalware methods: such as IDS, firewalls, antivirus apps, or DLP software. He felt whitelisting software was the only for sure way to prevent DropSmack from loading.
More importantly, Jake suggested that security managers think long and hard before allowing Dropbox or any file-synchronization application, no matter how convenient they are. Besides the more obvious reasons for disallowing file-synchronizing apps, Jake alluded to the "can of worms" companies can find themselves in regarding privacy laws. He explained:
Many general counsels are more than a little worried about the appearance of authorizing us to pen test what could end up being be home machines. That's becoming a sticky issue with pen-testers these days as people open spear phishing emails delivered to the corporate email addresses on machines that may be privately owned.
Jake also pointed out:
The Computer Fraud and Abuse Act doesn't allow the corporation to authorize testing of an employee's personal assets. Usually penetration testers solve this problem (and avoid breaking the law) by only acting on malware from machines in the corporation's public IP range.
The liability issue resulting from privacy laws affects more than just pen testers; companies allowing file synchronization apps are apt to get embroiled in issues similar to the legal implications of BYOD.
Jake and I felt it important to mention that Dropbox is by far the most secure of all file synchronization applications that Jake looked at. In fact, he uses Dropbox personally (at least he did before finding the issue). Jake also wanted me to make sure and mention that Dropbox was not compromised in order to accomplish his pen-testing goal. It was just a conduit.
A few more interesting tidbits from Jake:
- More often than not, Dropbox is loaded on corporate networks whether it is approved or not -- most of the time it's not.
- It's a good bet the bad guys know this technique, and are already using it.
The article may make it seem that DropSmack is more of a corporate concern, but that is not necessarily so. Once DropSmack or similar malware becomes mainstream in bad-guy circles, it's everyone's concern.