Story image

SaaS platforms - The new Wild West of malware

09 Jan 2018

Proofpoint researchers have identified a vulnerability that allows attackers to leverage Google Apps Script to automatically download arbitrary malware hosted in Google Drive to a victim's computer. 

Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem. 

Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. 

Proofpoint also confirmed that it was possible to trigger exploits with this type of attack without user interaction, making it more urgent that organisations mitigated these threats before they reach end users, whenever possible.

Proofpoint's exploit begun by uploading malicious files or malware executables on Google Drive, to which threat actors could create a public link. 

Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware.

While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect. 

In this approach, because recipients received a legitimate link to edit a Google Doc -- as many people do on a daily basis -- the old rules of email hygiene apply here as much as ever. 

Google has imposed new restrictions on simple triggers to block phishing and malware distribution attempts that are triggered by opening a doc. 

However, recipients also should exercise caution clicking even links to Google Docs unless they know or can verify the sender. 

Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible.

Since Proofpoint disclosed this vulnerability to Google, the company has added specific restrictions on certain Apps Script events that could potentially be abused. 

Google now blocks both installable triggers -- customisable events that cause certain events to occur automatically -- and simple triggers like onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session. 

However, the proof of concept Proofpoint provided to Google and recently presented at the DeepSec Conference demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years. 

Moreover, the limited number of defensive tools available to organisations and individuals against this type of threat makes it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.

SaaS platforms remain a “Wild West” for threat actors and defenders alike.

New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms.

At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms.

This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad”: making use of legitimate features for malicious purposes.

With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads.

The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools.

Organisations will need to apply a combination of SaaS application security, end-user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.