Bet You Won't Block Google: Evil APIs on the Rise

awesome so my talk today is Betty won't block people api's in the rise and uh like to mention Michael Banks I'm from rendition InfoSec I'm a signal officer in the Army Reserve I'm an alumni I guess the university bathrooms here and now I'm currently the math program here as well so I always keep a guest on my mom so a couple disclaimers you know these are my I did my last year I use a dr. evil from Austin Powers so I use mr. robot and so I'm still using the evil team pretty much and the last disclaimer I'll say is uh this is definitely a post exploitation talk so I assume they are as many companies

frequently do so I'm gonna be flying through this and say a 30 minutes that so tell me either

how they can or may not detect and then some other API is out there that are interesting in there that look awesome things so API real quick is a application program manifest it's basically a way that you can you know your convention or back end of a service so there are many out there and there were many companies that utilize it you know every day more about you guys and used in different companies using a few guys to briefings so nowadays only say you know it downsides API as well and some ways that it can be taken advantage of so some of the common methods you would interact with nice nice things and that's the reason we use API is that way

you don't have to know sequel and that way can make it easier to actually communicate with the data on the system so some of the common data data actually methods would be [Music]

[Music]

[Music]

but pretty easily users pretty common to use another method that you Noatak utilize is to you know based basic VPS so bye-bye you know how society

[Music] even though but against old attributed back to you so some of the things that start seeing why fear in you before that were

[Music]

[Music]

[Music]

what what is that on the actual system see what they see but doesn't leave a large footprint so one of the things that got me thinking well you know they have these services in there you know

maybe Yankee you can start utilizing that information so there are many other data exfiltration methods there are many other API is out there that you can utilize and they are freely available as well so one of the things I was curious on if you're a network defender you see this pretty typical traffic here's another who would block this traffic and also make some other labels so or utilizing application is making those same Network calls here's another sheet stop cool hey

nothing you see a lot of the columns and they're coming from that source but if you resolve them actually nothing but Google API calls so wow this is so like I mentioned Google has a lot of api's they're out there free freely and easy to use and one thing I was interested in is just how many API is out there that Google provides anyone have a wild number of how many API Google has right now available to use so actually as of today I checked 121 API is that are freely available to use so the one I utilized in one now is interested in the most cool sheets it's free officially like Excel it's just a large entities

it's being hosted by Google in their infrastructure so it has multiple support

[Music]

other services to do different things so [Music]

so and that's how it actually came to be that I was actually looking in the Google sheets because I was doing logging of actual thing and actually I wanted to get data to this Google sheet so I just utilize Google sheets API and send it there directly so I'm gonna do a lot of demo and I'm pretty certain it should work over the Internet so all I did basically is create a log and actually I'll show you the log so here's the log this is how it started out I had a honeypot now it's basically parks me vlog you know

so that's how it started I parts the feel that parts that log and I'll warn it's in the relevant feels to Google sheets so an idealized Python for it and all I do is give it the Python fall in extra log and one of the things I'll mention later on is how to actually protect against it is application whitelisting for 30 minutes so don't make those API calls and it'll just start logging in and they'll do it in real time so one of neat things with Google sheets is you can actually see it happening as it happened so I was a pretty neat it finds what was written to it finds the next empty field and it

keeps it going so that was one of the you know things of how it started now I was interested I was looking at the traffic you know I could secure so turns out some reason I know this but you can actually put 50,000 characters in one cell in Google sheets so I can actually I was like I wonder if I can put an entire file in here so I thought about hashing and I was like no I don't want to do with that so I'm just gonna sin the whole text up there so one of the things I made was exfil sheets so all I'm actually doing is taking that limit of an actual file by 50,000 limited

you're not passing my API credentials I give it a spreadsheet ID and then I send the values I want it to sin so you know name of it there's the argument of the Fallen passing and then just the glob of text that I sent and then I dice it up you have the limit for Google sheets you can send 100 API calls per second and actually probably so you can actually stand 100 calls per second so one of the things I I started doing so I had a file as a 10

so actually again on the network you see nothing different of the sort

all right different applications and programs to run example would be here I can actually analyze backup

[Applause]

[Music] and that was looking at that would be the best way to actually mitigate something like this as I mentioned before decrypting the traffic you can do that if you decrypt the traffic you can then see what

[Music]

[Music]

[Music]

[Music]

whitelisting the application that did that encrypted traffic is more useful because more and more malware and programs out there using Eli's HTTP so you actually have to decrypt traffic or monitor the applications that use that secure connection so I mentioned the practicing liability that you know some some companies do and the complications by doing that and then some other interesting Google API is out there Google slides you know just like a slideshow presentation I can actually send that data to the Google slide itself I can send it from Gmail I can send out an email I can send it as an attachment to an email from an API directly there are many api's and many

things you can access out there and they make it freely available so many other companies out there that do it Dropbox you know that huge sheet you saw at the beginning with all the companies a lot of news a few guys you can communicate with them directly for free so that's the end of my talk are there any questions in general

so yeah they're happier or you know doing the data at that point if it's some of the other you can get the song you have another network so if it's a lot of there you can see doing this but by itself enough you have to you know three engine area versus narrative from that point respective check to see what is happening there's more having an understanding of your environment you know should the secretary but utilizing lady guy calls that you know part where an equalising Dropbox or different policy in software I have not yet seen so I see to use like the command control from an aspect of using Google sheets Google Drive and different things like

that I have not seen them do the data exfiltrated that I'm seeing using basically for command control no so you have this trinket in there you can actually you know grab the data from the spring but Natalie it'll take the text put in the soup so the point is utilizing pools backbone infrastructure if I just kind of itself in some network but if it's you like the Google API you won't see it much decrypted you know so that's some more the perspective view line in their system infrastructure descended securely like oh we have some giveaways closed you have some questions you want to ask