The Cloud is for Launching Cyber Attacks

[Music]

hi there my name is ray hansenies and i am very excited to be here today and my first ever b-sides philadelphia thanks to the besides philadelphia team for allowing me to be here today to talk to you and thank you for joining for this presentation this presentation is entitled the cloud is for launching cyber attacks and i'll start just with a little bit more about me and my team i'm the director of threat research at netscope i have my phd in electrical engineering from drexel university where i worked a lot on malware analysis my background in addition to malware analysis is in software anti-tamper and as of late a lot more cloud security and using machine

learning to solve problems in security i've been in infosec for about 15 years now and if you would like to follow me on social media i've shared my twitter handle here and if you have any questions about anything i'm presenting today or generally just want to talk cyber security i've also shared my personal email address feel free to reach out to me there for my team and what we do we mostly do threat hunting threat intelligence and threat analytics and the data on top of which we're doing those things comes from our products that we sell that being a secure web gateway and a cloud access security broker and so the two of those um

in the context that we're talking about today are inline controls that provide us visibility into all of the web traffic traversing any device and also very detailed analysis of the cloud traffic and so for example that will give us activity level um visibility so the difference between a download from google drive or a edit of a google drive document or sending a slack message or downloading an attachment from slack i'm going to share a bunch of figures and examples and trends and so whenever i'm sharing information from the netskope platform today that's from 676 different organizations um a subset of our total user base and about a million active daily users and so i'll start with

posing a question and that question is why does anyone use the cloud and the answers to that are generally cost savings um because it's easy right it makes things that otherwise would require us to set a bunch of stuff up ourselves um you know a lot easier to use the automation the templates the ability to deploy something in multiple environments very easily and then the flexibility and scale that that allows the organization and so the other question that i'm going to try to get at the answer to in this presentation as well why would an attacker use the cloud is it these same five reasons is it something else is it the same five reasons plus

something else and so that's that's what we're going to get at today i want to start just with some things that happen in 2020 from an enterprise security viewpoint the first thing is the great work from home migration this is coming from the netskope platform right so this is based on just that subset of about a million users that i was talking about at the beginning and in that subset of about a million users we saw at the beginning of the year about 30 percent of them were working remotely on the average weekday and when that cova 19 pandemic declaration came from the wh in that week or two in march we went from 30 percent of all of the users on our

platform being remote to nearly 70 percent and in the months since that percentage is slowly climbing right so he's we've peaked about maybe 75 percent um so far uh of people on our platform working remote and obviously when you go from an environment where everybody is in the office right behind some network perimeter accessing things that are within that same network to a situation where everybody's on laptops and ipads and and chromebooks and personal devices and and and you know their cell phones and accessing everything from their home networks there's some challenges that come along with that the other thing we see happening in 2020 is just the continuation of a trend that's been happening for a long time

which is enterprise users are moving to the cloud for nearly everything and so this is again looking at data from our platform from the past year and what we see is last november 88 of all of the users on our platform we're using at least one cloud app every day and over the past year we've seen that go up seven points and today in november when when i'm recording this 95 of all users use at least one cloud app every day and so this is another challenge for organizations to deal with and in the middle of this uh this trend this year we also saw a massive increase in the amount of usage of collaboration apps things like

slack things like microsoft teams right when everybody went remote they also started using collaboration apps and so when you start using collaboration apps are you one locking them down appropriately two are you ensuring that they're only being used for the things they should be used for right no you know maybe you don't want sensitive information being shared through your collaboration apps maybe there's separate channels for for highly confidential information to be shared and so lots of controls for enterprises to put in place to make sure things are being used appropriately um you know and maybe one of the biggest ones from the past year being how do you deal with private app access can your vpn handle it

is your vpn appropriately you know secured or do you need a more sort of scalable flexible private access solution and so that's what was happening in empire security but what else was happening in 2020 the other thing that we saw and what i'm going to spend the rest of the time today talking about is cyber attacks being launched from and against in some cases cloud applications and specifically in these six ways this is going from the left to the right all the way across the kill chain we're going to start with fishing and we're going to end up with data exfiltration and so let's just dive right in and start with fishing and so i'm

sharing a fun example and the reason i picked this one was i'm hoping that somebody watching this today um saw this attack and says oh yeah i remember when this one happened this happened at the end of october and it was pretty widespread we saw it affecting a lot of people on our platform what happens well somebody shares a presentation with you a google slides presentation and they comment on that google slides presentation and in that comment they send a little message that in this case was a generic like hey you've received something you should click on this and get more details um this was not uh i picked this one because it was so

widespread and common and i'm i'm hoping that that you know um some of you here today have seen this um it wasn't extremely convincing um you know i see a male dash d dot x y z right as a a info sec professional i know that the x y z tld is widely abused by attackers um you know maybe that's something that a organization might have just blocked um outright um but there's some very interesting things at play here as well um the first is that this email made it to my and also made it to everybody else in our platform who this was targeted at made it into their inbox right it wasn't labeled as spam

it wasn't labeled as potentially malicious it wasn't labeled as an external message right it was just in their inbox um and the reason is because it's just a comment on a google doc and so i have this square at the bottom left of all of these slides that's asking why right why use the cloud for this right and so why use the cloud for phishing well number one in my list of why is to bypass email email filters and that's exactly what this did number two in my list is exploit the user's trust and so what i mean by that is i use google slides all the time right i right now i'm recording this

video of me presenting to you a google slides presentation uh in preparing this slideshow um people on my team reviewed it and made comments on it and i got emails just like this and so what i'm saying is that attackers are using apps that are popular among their victims and are trying to use them in a way their victims probably use them as well and so we see an awful lot of this right this is just one example but this is one of the most common things we see attackers using the cloud for it's it's google drive it's dropbox it's box um it's it's all of these cloud storage apps that allow you to share documents

with other people and using them to try to you know convince try try to get past those email filters and convince the user to click on something before i leave the fishing topic and on to the next one i also want to talk about sort of the other angle here right so the the last slide here right this was fishing from the cloud and so now i'm talking about fishing for cloud credentials so this picture comes from apwg the anti-phishing working group they put out a quarterly report of trends in fishing and what's been happening for the last few years is that a big slice of this pie has been fishing for cloud credentials and you can see it here right

sas in webmail cloud storage and file hosting it's more than 35 36 of the total targets for for fishing and so this is just showing that attackers are going after cloud credentials and again let's ask that question why the why is because that's where the sensitive data lives right especially in these webmail apps right if you can get access to somebody's webmail you might find vpn credentials you might find out what apps they're using you might be able to to reset their passwords for those apps right so getting access to webmail is still extremely valuable and so let's move to the next one um this is sort of you know moving in order of the kill

chain we talked phishing um you know ways how to get uh get emails into people's inboxes and and convince them to click on something now let's talk about the trojans maybe this is one of the things that the attacker was trying to get them to click on i'll begin with another figure of some statistics from our platform this is showing um some file types and the prevalence of those file types in the universe of malicious files that we are detecting and blocking on our platform and this first one is the one i want you to focus on office documents before and when i say before here this is before covid right so this is in you know

january february early march we saw about five percent of all of the um malicious files that were blocking on our platform were office documents over the summer we hit a point where it was um nearly 45 so it's just a huge increase in the number of malicious office documents that we were seeing um these were all emote related and you'll say what are you talking about here right we were trying to talk about trojans right so that's that's what i'm getting at right i just wanted to share that context of like this was happening inhabiting in massive numbers and what was happening was this so the emo tech crew is sending these emails these emails are typically look like

replies from real people in many cases because they are replies from real people um this is the emo tech crew leveraging compromised endpoints and compromised email accounts that they already had to send these messages and so you get this message it looks pretty good right it doesn't look like it doesn't look like the other message i just shared the um you've received an important notice please click on this link no this is a you know it's got a confidentiality notice it's from a real person if i looked up their email address i would find more details about who this person actually is on the web um it has a download link in the in the email to download a word document

from box and we saw box used a lot in these emo tech campaigns that were targeting people on our platform you download the word document from box and open it in word it would ask you to enable macros and you know you might say oh macros who uses them anymore um people who work in in the enterprise um today right macros are still a feature right because they are still widely used right so lots of people used to allowing macros executing uh macros you know they see something from somebody they trust um they run it it executes a powershell script and the powershell script downloads a payload and it's it's the same we saw the same

pattern and so many different variants of of these emails and these emote trojans it was always open it and you see like the the the process execution visualization block open it in in microsoft word it um through an rbc launches using wmi powershell powershell is then going to reach out and grab that next stage payload and download it and so same question i'm asking in all these slides why first thing right why are they doing this let's bypass the email filters again right really really clever to use um real email addresses real people's mailboxes and again no they're not attaching in some cases they were but in this example they're not attaching the malicious file they're sharing a

link to it on dropbox right so other ways to to get through the email filters and again most of these messages were ending up in people's inboxes not caught by any of the filtering solutions they had in place and number two exploit the user's trust i know this person i receive emails all the time from them or emails like them i receive when you know microsoft word documents all the time i use box all the time right all this stuff looks legitimate um that's that's reason enough for me to to click on it open it and see what's in there so um you know we're talking emote right so what's what's imitates goal eventually right to download some

malicious payload and so let's talk about now our payloads but let's talk about a different example just for fun let's talk about uh goo loader or gu loader and so here i just have a screenshot of the indicators that we pulled out for one of these samples that we detected from our sandbox so this is one that a sandbox picked up and you see um first off this is fun right goo loader had what i like to call the kitchen sink of anti-analysis techniques in there um so you see this layer you know somebody's obviously got something to hide here evading debuggers um you know doing other things to avoid um being analyzed by things like my uh

sandbox here um i can see oh that they're trying to execute something right it's it's creating new processes it's creating system objects it's writing memory pages and labeling them as executable right um clearly trying to execute something and what is that something that they're trying to execute well it's a document here that they're downloading from none other than google drive and so this um this goo loader uh was extremely popular this year for you know emote and goo loader probably the two most common um dow motors that we saw um on our platform meaning like saw people actually you know falling for it and and trying to download these things and um uh you know the question comes up again

why right why why do it this way right why why is it significant to try to download your next stage downloads from from google drive well you saw in my earlier example i said i'm an infosec professional right and so when i see the a message from from you know google drive saying click on this link uh mail.xyz i'm like no no that's that's almost certainly nonsense right i could probably even block.xyz and be good to go here so there's a lot of web filters that work that way right they block tlds or they block domains that that are suspicious or newly registered or you know not popular or are explicitly on some threat feed that says you should

block these and so use google drive you bypass all those web filters and you also probably bypass a fair number of enterprise security products that do filtering that way and so that's the why right um you you've sort of got got this far why blow it by trying to download the malware from somewhere that's likely to be blocked no instead try to download the malware from google drive or somewhere that's almost certainly not going to be blocked and you'll be able to get these payloads into those enterprises you're targeting without any issue and so now that you know we've got a payload running on a machine let's talk about some of these different types of

payloads that we've seen and let's start with credential steelers and so the credential stealing story is very similar to the fishing story that i told with that graph from apwg right what are you trying to steal credentials-wise well you know banking passwords that sort of stuff right but also cloud credentials um the why that's where the sensitive data is right the same reason why fishers are after cloud credentials and so what we've seen credential steelers doing is generally trying to steal everything from the browser right with the intention that your cloud app credentials are going to be in your browser password store but also quite interestingly stealing things from your file system where certain apps store their

credentials so for example aws source credentials in dot aws slash credentials that's stored in plain text in the user's home folder right so if you're running on that system you can grab those credentials out we've also seen quite a bit of trying to steal hook oauth tokens right api keys anything that you can steal for any of these native apps that are running on um you know the the customers machine one of the examples that i use here is if you're using google uh the gcloud utility and you run that gcloud auth command and it takes you through the oauth flow and opens the browser and you click ok authorize and all that fun stuff what

happens to those credentials they get stored in a sql lite database plain text on your machine right so um credential stealers can go after those credentials as well i pointed out you know these aws these gcp um credentials here because it's um it's it's another sort of end game for attackers so i have the y here right that's where the sense of data is but with things like aws and gcp the why is also well that gives me access to infrastructure that you know i one don't have to pay for and two might be able to you know hide underneath the the you know stay under the radar there for a while you know you can use those um

credentials to spin up infrastructure to launch additional attacks right or host payloads for additional attacks so that's another reason why to go after things like aws and gcp credentials so next on the list is commanding control and so the example that i want to share here is a malware family called slub and this is a malware family that has been around for a while we see sporadic attacks that use it and it works generally like this right step one grab some commands from a github gist step two run the commands and post the responses to a slack channel and then step three if the command is to grab some files upload those files to follow dot io and

so what's happening here right is like github and slack being used as a command and control server and i have a url here which is a link to a poc that shows just how easy it is to do this right you can do this really in any app but certainly messaging apps like slacker are really nicely suited for this type of messaging application and the why right number one bypass the web filters right i mentioned it before right it's it's easy to block dot x y z it's easy to block uh malicious domains right there's a lot of enterprise security products that rely on web filters uh there's also you know if you're talking about like ips

ids you know the ips has a lot of signatures that are built to detect all of these custom command and control protocols and implementations that attackers have made over the years but if your command and control channel is just posting slack messages what's the ips signature for that right so being able to get around some of these enterprise security products by by doing something like using a chat program that everybody in your enterprise is already using already you're going to blend in with everything else and it's going to be really hard you know for something like any ips to detect it and so this brings us to data exfiltration and this is my last example this is a

fun one that i chose um not because it's being launched by sophisticated attackers um but rather because it's not um this was pretty widespread we see a lot of it um it's happening in discord you know looks like you know very ad hoc mostly script kitties and they are um going after uh their victims cloud credentials um mostly discord uh and so what happens you know they they target the user with the malware which is hosted on discord and github once it's on the machine it is a credential stealer it grabs the credentials from the web browser it also looks for discord credentials for the native app and it posts all of the credentials that

it steals in a discord message that it sends right back to the attacker and so again i shared this one i've got a blog post on it on our blog if you want to go read more about it but i shared it because it's it's a pretty easy one to decompose take a look at how it works source codes posted currently on github um who knows when that if or when that will get taken down um but uh you know something something that you can get your hands on and see how this works and the question why right why why do uh data exfiltration this way number one bypass web filters um like we've been

talking about right if you if you use um discord hard to say let's filter out discord and again um ips signatures um other things that you might have relied on for detecting data exfiltration aren't going to be very effective when you're trying to detect a a needle and a stack of needles right that slack message that was bad versus that slack message that everybody else has been sending all day long okay so that was the six so let's recap a little bit why does anybody use the cloud cost savings ease of use automation flexibility scale right same reasons attackers are using the cloud except there's more right in addition to that we identified them as we went through

bypass email filters that's how you're going to get phishing messages messages to deliver trojan trojans into the users mailboxes bypass web filters so that when they're clicking on things to to download next stage payloads um when they're sending command and control messages when they're explorating data um that's not likely to be gobbled up by a web filter if it is using the same apps that that um you know that organization typically uses um by the same token right uh sort of uh bypass other security products and we talked quite a bit about ips exploiting users trust is a big one here for the for the phishing for the trojans right the idea is users are used to

using these apps these days right they're in they're in you know the user's face all the time and you can see it with what the attackers are doing right what apps did they pick to use all the ones that are the most popular and then finally um that's where the sensitive data is right so why use the cloud and why why go after the cloud well because that's that's you know the data that you're going after is hosted there um ransomware has been big business this year for attackers right um uh you know very traditional ransomware going after endpoints and encrypting endpoints but you know if you want somewhere else to go after data cloud is where a lot of data lives

so what are attackers using the cloud for we identified those six things right from phishing through to data exfiltration the most popular techniques we've saw this year were at the beginning of the kill chain so phishing trojans malware payloads credential steelers that was the stuff we saw most commonly happening in 2020 just diving in a little bit more on the apps that we saw being used and abused by attackers these are the top five right box s3 onedrive sharepoint and github they make up about half of the malware blocks on our platform from the cloud this year so far the other half come from 120 other apps that i didn't list in this figure so a huge

wide array of apps being abused to do all of this but the most popular apps being abused also very popular apps among the general populace so if i go and i look at those last two command and control and data exfiltration we are predicting that we will see a increase in that those two happening over cloud apps in 2021 the reason is that we've seen enough examples that we expect that other attackers will emulate that we'll start seeing this in mass right it always takes a few trend setters to try these things out before everybody just starts copying and pasting their code and reusing it in all of their new um new malware samples and so because

these early ones were heavily reliant on collaboration apps right especially slack and discord those chat apps we saw used quite a bit we'll we expect to see a rise not only in these but arise in these specifically abusing collaboration apps but we do also expect that we'll see some other stuff happening as well we expect to see other types of apps being used for commanding control and data x fill and being used in in new and creative ways um one example that we just saw happening recently was draft email messages being used for command and control so you know as as people try those out and see successes there we'll see we'll see more and more of it

but 2021 huge rise in collaboration apps being used for those three techniques and so that's it for my presentation um thank you for joining me today thanks for for taking the time to talk about um how the cloud is being abused and and being used to launch cyber attacks again right we talked about these six techniques everywhere from phishing all the way to data exfiltration on both ends of the kill chain i've shared here again my twitter handle and my personal email address if you'd like to reach out to me on social media or send me a dm if you want to talk more about anything i talked about here today or really anything in cyber security especially

cloud security always happy to to talk security with anybody thanks a lot cheers and enjoy the rest of the conference

you