Story image

SaaS platforms - The new Wild West of malware

09 Jan 2018

Proofpoint researchers have identified a vulnerability that allows attackers to leverage Google Apps Script to automatically download arbitrary malware hosted in Google Drive to a victim's computer. 

Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem. 

Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. 

Proofpoint also confirmed that it was possible to trigger exploits with this type of attack without user interaction, making it more urgent that organisations mitigated these threats before they reach end users, whenever possible.

Proofpoint's exploit begun by uploading malicious files or malware executables on Google Drive, to which threat actors could create a public link. 

Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware.

While Proofpoint frequently observes Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect. 

In this approach, because recipients received a legitimate link to edit a Google Doc -- as many people do on a daily basis -- the old rules of email hygiene apply here as much as ever. 

Google has imposed new restrictions on simple triggers to block phishing and malware distribution attempts that are triggered by opening a doc. 

However, recipients also should exercise caution clicking even links to Google Docs unless they know or can verify the sender. 

Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organisations should focus on mitigating these threats before they reach end users if possible.

Since Proofpoint disclosed this vulnerability to Google, the company has added specific restrictions on certain Apps Script events that could potentially be abused. 

Google now blocks both installable triggers -- customisable events that cause certain events to occur automatically -- and simple triggers like onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session. 

However, the proof of concept Proofpoint provided to Google and recently presented at the DeepSec Conference demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years. 

Moreover, the limited number of defensive tools available to organisations and individuals against this type of threat makes it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.

SaaS platforms remain a “Wild West” for threat actors and defenders alike.

New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms.

At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms.

This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad”: making use of legitimate features for malicious purposes.

With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads.

The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools.

Organisations will need to apply a combination of SaaS application security, end-user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.

Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
SAS announces US$1 billion investment in AI
"At SAS, we remain dedicated to our customers and their success, and this investment is another example of that commitment."
Two Ministers’ thoughts on blockchain in Oz
Minister Karen Andrews, and Minister Simon Birmingham have released a joint statement on the national blockchain roadmap and extra $100,000 funding.
IntegrationWorks continues expansion with new Brisbane office
The company’s new office space at the Riverside Centre overlooks the Brisbane River and Storey Bridge.
DXC subsidiary takes SAP energy industry partner award
Winners of the awards were selected from SAP’s A/NZpartner ecosystem and announced at the recent SAP A/NZ Partner Kick-Off Meeting held in Sydney.
NetApp and allegro.ai showcase an integrated solution for deep learning
Unlike traditional software, in deep learning, the data rather than the code is of the utmost importance.
Opinion: Moving applications between cloud and data centre
OpsRamp's Bhanu Singh discusses the process of moving legacy systems and applications to the cloud, as well as pitfalls to avoid.
Workflows should benefit people, not devices
It is important that, in digital transformation journeys, managers remember technology should complement, rather than overtake, employee talent and skillsets.