SAN FRANCISCO — We are used to attackers setting up
command-and-control (CnC or C2) servers on short-lived domains or infected hardware, and defenders have developed robust detection methods to spot and block these kinds of malicious infrastructure.
But what about attacks that come from Google Drive, Dropbox or Trello? Such user-facing cloud services seem innocuous and are used daily by thousands or even millions of organizations. Yet, they too can be harnessed to command and control
malware on infected systems.
That's the message from Matan Mittelman, a team leader for Cato Networks' threat prevention team.
At the BSides San Francisco security conference this past Saturday (April 26), he demonstrated how Google Drive and Trello — and presumably many others — can serve as effective and inexpensive, albeit slow, attack infrastructure whose back-and-forth traffic breezes right past
firewalls, threat detection and even
endpoint detection and response (EDR).
"Most businesses and organizations have adopted and trust the cloud," Mittelman said. "I'm not aware of any organizations that block the cloud."
"Hackers love this," he added. "They trust the cloud too. And cloud-storage services are a great place from which to launch attacks."
Everything the modern attacker needs
Command-and-control servers need bidirectional communications, storage space and the ability to handle many client machines at once, Mittelman pointed out. Cloud-based applications have all those attributes.
"What makes a CnC channel?" he wondered. "You want the malware to send back telemetry. You want to be able to send commands to the infected hosts. You might want to steal data from the compromised hosts. And you want multi-device management so one CnC server can manage multiple hosts."
Many cloud services are free to use and most are very reliable, Mittelman added, saving the attackers the cost and effort of buying a domain name and paying for and maintaining a server.
So how could an attacker use, say, Google Drive to command and control malware? Mittelman explained you could embed commands in folder names, have the infected hosts upload documents and files, and use multiple folders to control multiple infected machines. The controller and infected hosts just need to log into the same Google account.
The Cato researcher ran a demonstration in which commands were sent to infected hosts as the names of new folders. Creating a folder named "exec_ls" had the host upload a Google Doc with the names of all the files in a specific directory, and then change the name of the new folder to "done_ls" when its task was complete.
Trello is primarily a list- and task-making application. In a second demo, Mittelman showed how creating new Trello list cards sent commands to compromised hosts, which responded by filling the blank cards with stolen medical records concerning BoJack Horseman characters.
"This isn't very fast, but it is trusted," Mittelman said "And it's free. And you don't need to set up a server."
Drawbacks and defenses
There are potential drawbacks to using a cloud service as a command-and-control server, he said. For example, some of the more security-minded services — he named Google as one — may detect this sort of suspicious activity.
On the client end, the credentials to access the shared cloud accounts are stored in the malware, and defenders could discover them and take down the operation.
To defend your organization from infiltration by a cloud-service-based attack, Mittelman said, you should consider what kind of cloud services should be permitted to end users. Some are known for a "hands off" policy towards user data that facilitates nefarious activities. (Mittelman didn't mention it, but the gamer social service Discord has been used several times as a
malware distribution platform.)
Organizations may want to restrict users to company-managed online accounts, not personal ones, he added, and could block unsanctioned online apps. Or they could use a
cloud access security broker (CASB) to restrict users from uploading files to cloud services.
"You want to consider the behavior, too," said Mittelman. "What is a Python script doing accessing Google Drive?"
In the long run, he said, organizations need to change their mindsets and recognize that these safe-seeming online services can be exploited and abused. Security guidance is already documenting that "attackers are getting free rein in cloud services," he said, but defenders have yet to catch up.
"
MITRE has even added web services as a medium of attack and exfiltration," Mittelman said. "Perhaps we're not all quite aware of the dangers."
