Cloudifying Threats—Understanding Cloud App Attacks and Defenses

Cloud applications (apps) and services have revolutionized business productivity and efficiency by providing a robust and flexible environment in which to share and transfer data. Businesses are becoming more dependent on the cloud as the trend of adopting cloud apps is growing at an exponential rate. End users do not have a choice, as cloud apps are being shipped to them as default software in the hardware devices. For example, mobile devices are shipped with default cloud apps. Additionally, enterprise cloud apps are being used as storage solutions to host, manage and share data. That being said, every technology is susceptible to abuse and exploitation, and cloud apps are no exception.

Hackers and agents of foreign nations are increasingly exploiting cloud apps to perform nefarious operations that could potentially result in significant financial losses and compliance-related fines, in addition to loss of reputation to individuals and enterprises alike.

Before trying to understand potential cloud threats, IT departments need to have complete visibility into the channels through which data flow between users and cloud apps that exist outside of the network and perimeter security defenses. While the threats posed by shadow IT and shadow data¹ are real and persistent, enterprises are not staffed or equipped to determine how their users are accessing and transmitting the enormous flow of confidential data to and among different cloud apps. To determine this, enterprises must first gain visibility into all cloud apps being accessed by their network users before trying to understand the risk that malware and user activity pose to confidential company data.

Cloud apps have faced a wide variety of threats over the last couple of years. Google Drive has been hit by a number of phishing attacks where HTML/JavaScript(JS)² and OAuth³ functionalities were abused to steal user account credentials. Dropbox, OneDrive and other cloud apps have been used to distribute malware^{4, 5} to user systems. Configuration errors in cloud storage apps such as Amazon Web Services (AWS) have led to unintentional data exposure, causing security breaches that severely impacted affected organizations. Data leakage via AWS buckets^{6 ,7} is a grave threat to enterprises, as a small error could result in broad exposure of sensitive data. Finally, inherent design and security issues in cloud apps⁸ have been regularly exploited by hackers to execute large-scale exploits. Overall, threats to cloud apps are real and enterprises must fully understand them, the potential impact to their business, and how to defend against attacks on cloud apps to protect user confidentiality and compliance-related data.

Cloud Apps: Threat Model and Actors

There are three types of threat actors who circumvent existing cloud security controls and trigger attacks against cloud apps:

• Risky employees—“To err is human,”⁹ and employees are no exception to this rule. Employee mistakes regularly result in data exposure via cloud apps. When sharing documents containing sensitive information, employees often unwittingly overshare them by granting access to an overly broad audience. Some examples include:
  • An employee shares a confidential document publicly. This results in broad access, and anyone with a shared URL to the document can access the content and freely use or abuse it.
  • An employee unwittingly allows another user to download a confidential file directly from the cloud app by not specifying the access controls when the document is shared.
• Malicious insiders—Disgruntled employees can cause serious damage to enterprises by exploiting their position as insiders to circumvent security protocols and destroy or exfiltrate confidential data. Examples of suspicious activities performed by malicious insiders include:
  • Excessive downloads of confidential files from cloud apps
  • Excessive deletion of confidential files hosted on cloud apps
  • Broadly sharing a large number of files publicly to be accessed remotely
  • Accessing cloud apps at unusual times or for abnormally long durations
  • Accessing confidential data that they typically do not access as part of their normal job functions
  • Performing excessive printing or screen capture actions on documents stored in cloud apps
• Hackers and state actors—Sophisticated attackers can target cloud apps and associated users to steal data and perform unauthorized operations. Attacks can be launched directly, when attackers target a cloud app itself, or indirectly, when attackers target the users of a cloud app to gain access to their cloud accounts. Some examples of direct and indirect attacks include, but are not limited to:
  • Direct attacks:
    • Launching brute-force attacks against cloud apps
    • Discovering and exploiting inherent vulnerabilities in cloud apps
  • Indirect attacks:
    • Sending phishing emails containing malicious attachments or URLs to a web portal that could steal credentials via social engineering attacks
    • Installing malware on an end-user machine and stealing cloud app credentials via man-in-the-browser (MitB) attacks

Once the account is compromised by either direct or indirect attacks, attackers can easily exfiltrate data using multiple methods.

Cloud Apps: Threats

There are several types of cloud threats exemplified by real-world case studies, which include, but are not limited to, distributing malware via cloud apps resulting in drive-by download, account hijacking, broad sharing of sensitive documents, leaking sensitive information via the documents hosted on cloud apps, and abusing functionalities and features of cloud apps to trigger phishing attacks.

Credential Stealing and Account Hijacking

Attackers target end users to steal their enterprise cloud app credentials to perform nefarious operations. Credentials for cloud apps can be stolen in multiple ways. Examples of commonly used attack techniques include:

• Phishing attacks—This is the most widely used attack method deployed by attackers. It uses social-engineering techniques to trick users into providing account credentials. Attackers have used variations of phishing attacks to target end users and steal their credentials for specific cloud apps. These have been broadly categorized into three types based on how the phishing web pages are deployed and distributed:
  • Phishing pages deployed on cloud apps—This is one of the most advanced techniques, in which phishing pages are hosted on the cloud apps themselves. Attackers abuse the inherent HTML/JS-supporting functionality of cloud apps to host phishing web pages. Once the web pages are shared publicly, the associated URL, embedded in a phishing email, is sent to users. This attack is hard to defend against because the phishing pages are hosted on legitimate cloud app domains that use HTTPS. An average user will typically assume that the web pages are legitimate. As a result, users supply credentials that are transmitted via an HTTP GET/POST request to an attacker-managed domain. Figure 1 shows a real-world attack scenario using phishing pages hosted on Google Drive. Note that Google Drive has since deprecated its HTML/JS support, but several other cloud apps still support this functionality.
    
  • Phishing pages deployed as attachments—Attackers can abuse the functionality of data URLs supported by their browser. It is possible to encode data in a “data:text/html” handler, and when allowed to open in the browser’s address bar, it renders the content. Attackers are using this trick to encode phishing web pages in the data handler and pass them as attachments in phishing emails. When the user opens the attachment, the content (data handler) is opened in the browser address bar and it renders the decoded phishing web page. Figure 2 shows an example of this variant.
    
  • Phishing pages deployed on noncloud app domains—This is the most widely used phishing technique, in which web pages of legitimate cloud apps are cloned, updated and deployed on noncloud app domains. Attackers select a domain that may look legitimate but is not. These attacks are executed in conjunction with social-engineering tactics to trick users into revealing their cloud app credentials. Figure 3 shows an example of a phishing attack in which a web page similar to the official login page for Office 365 is deployed on the non-cloud app domain.
• Man-in-the-browser (MitB) attacks—MitB attacks are advanced exploits in which end-user systems are first infected with sophisticated malware, such as a bot, which is then enabled to perform advanced operations in the compromised system. The bot actually snoops communication taking place between the user’s browser and the cloud app. The bot injects unauthorized code into the browser process and logs the cloud app credentials entered by the user. This attack is different from a standard keylogging attack, as the attack model is different. MitB attack mode is currently deployed in a majority of botnets. Figure 4 shows the reverse-engineered code from a malware binary highlighting the “Pr_Write” function in the “NSPR4.DLL” library. The library is hooked by the bot to steal data entered by the user in the HTML forms opened in the Mozilla Firefox browser. Primarily, the bot hooks the critical functions imported from the libraries in the browser process to dump the credentials in the HTTP GET/POST requests.
  
• Man-in-the-cloud (MitC) attacks—MitC¹⁰ attacks are similar to MitB attacks. The difference is that tokens are stolen instead of account credentials. Tokens are used heavily in cloud apps as authentication mechanisms for transmitting data to cloud app application program interfaces (APIs) from authorized resources. Malware residing in the end-user system is capable of hijacking the communication channel. This is done by either hooking the cloud agent functions or using social-engineering attacks to inject attacker-supplied unauthorized synchronization tokens so that valid and unexpired tokens can be extracted to gain access to users’ accounts. Primarily, the MitC malware exploits the file synchronization services for installing additional malware, exfiltrating data and performing command and control (C&C) operations. The attack method is different, but the end result is the same: gaining access to user accounts.

Malware Distribution

Cloud app storage functionality has been abused by attackers to distribute malicious files to end users. Malware is distributed through the cloud when attackers use stealthy techniques to upload malicious files on cloud apps or share malicious files publicly by configuring global access rights. As a result, malicious files are now ready to be shared with or distributed to end users by a cloud app’s URL. To infect end users, attackers can:

• Distribute the direct cloud apps’ URLs that reference malicious files to end users either by a third-party platform or via an embedded link in a phishing email
• Conduct a stealthy drive-by download attack in which the cloud app URL that references a malicious file is embedded in a third-party website in an HTML iframe or obfuscated JavaScript. When a user visits the third-party website, the cloud app URL is rendered in the browser, which downloads the file onto the end user’s system. Attackers can opt to use advanced techniques to perform this operation covertly.

Overall, the basic idea for attackers is to weaponize cloud app storage functionality by using apps as malware delivery platforms. Figure 5 shows a malicious executable (MZ header) file (Zeus bot) successfully uploaded to Google Drive. Figure 6 shows malicious executables hosted on the AWS Simple Storage Service (S3) buckets.

Data Exfiltration and Leakage

Data exfiltration is the process of stealing and stealthily transmitting data from compromised systems to unauthorized locations on the Internet. Since enterprise cloud apps store sensitive data in the cloud, they are vulnerable to security breaches that result in the leakage of data due to human error or hackers. Data can be exfiltrated or leaked from the cloud apps in multiple ways, including:

• Users of enterprise cloud apps can share sensitive documents with a broad audience by making documents public through configuring access rights in an insecure manner, e.g., sharing sensitive files publicly via Google Drive, Box or other similar sharing sites. Amazon S3 buckets have been under the radar because multiple instances have been noted where sensitive data were disclosed via S3 buckets.
• Users can upload files containing sensitive data such as personally identifiable information (PII), payment card industry (PCI) information, and protected health information (PHI) on cloud apps and share those files in an insecure manner with other users.
• Attackers can validate and verify sensitive files hosted in compromised cloud accounts and exfiltrate the data by making those files public and downloading them onto an unauthorized server, and by sending files as attachments via emails using compromised user accounts.
• Malicious code installed on end-user systems can be directed to steal files from the folders specific to an enterprise cloud app agent that is used to sync files with the cloud servers. The malware can easily encrypt the data and exfiltrate it via either HTTP/HTTPS or other protocol channels.

Figure 7 highlights the disclosure of sensitive documents via Amazon S3 buckets.

Cloud App Vulnerabilities

Security vulnerabilities that exist in cloud apps could be exploited by attackers to launch large-scale attacks. Cloud apps such as Google Drive, Box and Dropbox provide services to a large number of customers and exploiting inherent vulnerabilities could lead to serious widespread problems. Under responsible disclosure guidelines, security researchers disclose vulnerabilities to organizations in a secure fashion. In a similar vein, attackers are also continuing to look for vulnerabilities in cloud apps. The difference is that attackers will not disclose those vulnerabilities, but rather will exploit them to steal sensitive data or to abuse the cloud app service with unauthorized operations.

In addition to security vulnerabilities, design flaws can also contribute to the abuse and exploitation of cloud apps. Design flaws occur as a result of poor development choices that are approved without appropriate security reviews before actual components are designed. Cloud apps have been found to be vulnerable to poor single sign-on (SSO) implementations, insecure authentication mechanisms and other security-deficient design decisions. Application and infrastructure teams should take the necessary steps to avoid bugs early in the development stage and to rectify configuration errors during deployment.

GDPR Compliance and Security Breaches

The European Union General Data Protection Regulation (GDPR)¹¹ is a data protection regulation that requires organizations to protect the personal data of the users and privacy of EU citizens. A recent poll indicates that 80 percent of US companies need to stay compliant with GDPR.¹² GDPR has taken significant steps to push data controllers and data processors under an obligation to comply with data protection requirements, which include but are not limited to providing timely notifications of security incidents; sharing data with the end users if requested, including the right to be forgotten; implementing robust security solutions to monitor the data flow; and preventing security incidents. With such obligations, data controllers and data processors are subjected to direct enforcement by the supervisory legal authorities and monetary fines as part of compensation claims by data subjects for any damages caused by security breaches if the organizations fail to stay compliant with GDPR. Generally, GDPR has given a new dimension to security and compliance by allowing data subjects to stay in control of their personal data. Data processors and controllers are required to stay more vigilant and proactive in handling sensitive information of data subjects.

There are a few critical points of GDPR that pertain to security. The most relevant articles related to security in GDPR are:

• Article 33 of the GDPR details the requirements that need to be followed by data processors and controllers when implementing technical and security controls to ensure that data stay secure and private. The controls must guarantee the security, availability, confidentiality and integrity of data, including system resiliency. The expectation is to achieve stable and secure systems with maximum availability.
• Article 34 of the GDPR sets forth the requirement for data processors and controllers to report data breaches to the supervisory authority. Article 35 covers the rules requiring full disclosure of personal data breaches to the data subjects. Articles 34 and 35 are interdependent. GDPR has made stringent requirements for data controllers and processors to report security breaches within a specific time period, which is expected to be no later than 72 hours after data controllers and processors have become aware of the incident. Some flexible scenarios have been discussed for breach reporting, but, overall, this is a big leap toward ensuring that data processors and controllers are responsible for personal data. At the same time, data controllers have the responsibility to report security breach information to the data subjects without any undue delay. This has entitled data subjects to expect clear and prompt communication from data controllers if their data are stolen or leaked during a security breach. GDPR has significantly increased the responsibilities of data controllers and processors.

This article has discussed a number of attacks that can result in security breaches. Now the most important question is, “What should be done if data controllers and processors fail to adhere to the GDPR guidelines specified in articles 34 and 35?” If data controllers fail to comply with GDPR articles 34 and 35 of breach notification and disclosure, they are subject to financial penalties that could be as high as four percent of their organization’s global (worldwide) annual revenue of the prior financial year or up to US $23.2 million, whichever is higher.

Security breaches in cloud apps could be a result of inherent cloud threats. As a result, enterprises can suffer financial losses by failing to adhere to compliance requirements. To avoid financial repercussions, it is essential to combat threats against cloud apps to provide a secure, safe and compliant environment.

Recommendations and Countermeasures

The following are the recommended countermeasures essential to defending against threats to cloud apps:

• The enterprise environment should be audited up-front to detect shadow data and shadow IT in the network. This is an essential step because it helps administrators discover the different types of cloud apps used, their relative risk, and how exactly end users and devices transact data with those cloud apps. With the adoption of bring your own device (BYOD), this becomes even more critical.
• Best practices dictate that all files should be scanned when they are uploaded to and downloaded from the cloud. Such scans ensure that files transferred to cloud apps do not contain any inherent threats. Engaging an active threat detection service that integrates with cloud apps is recommended. This helps prevent the distribution or syncing of files containing malware to large groups of users.
• Content inspection (CI) technologies that can scan file content for confidential data, such as personally identifiable information (PII), payment card industry (PCI) information, and US Health Insurance Portability and Accountability Act (HIPAA) information, before they are uploaded to cloud apps should be adopted. This helps prevent data exfiltration attempts.
• Files hosted in cloud apps should be checked for sharing and access rights. This is an important step to ensure these files are not shared too broadly. The cloud app security solution should provide administrators with the ability to scrutinize how users are sharing files with each other, thereby ensuring that unauthorized users do not gain access to confidential data.
• User behavior modeling and analysis helps to discover anomalies in user behavior while users are interacting with cloud apps. User behavior models can be designed using techniques such as supervised or unsupervised machine learning, contextual analysis, natural language processing, and others to ensure that anomalies are detected and to enable administrators to act proactively so attacks or threats can be prevented. With user behavior modeling, attacks such as unauthorized access and brute forcing can be detected easily.
• Policy enforcement is one of the preventive steps that helps avert the distribution of threats by actively blocking them once they are identified. This functionality helps administrators enforce policies in enterprise cloud apps that identify malware, prevent the leakage of sensitive data and restrict the sharing of specific files.
• Cloud infrastructure and associated cloud apps should undergo rigorous security assessments, comprising penetration testing, vulnerability assessment, configuration reviews, source code reviews, etc., to ensure that infrastructure and applications are free from security vulnerabilities and that supporting networks are sufficiently hardened. Having a strong security posture enables enterprise cloud app providers to provide an environment that is robust and secure.
• For compliance, organizations should deploy a cloud app security solution that not only helps them achieve compliance, but that also provides security controls to monitor, detect and prevent threats that reside in, and are distributed by, cloud apps. This also helps the security operations center (SOC) manage and circumvent threats that originate from cloud apps.

Conclusion

Because the technology world has encountered an exponential increase in the usage of cloud apps and security breaches via the cloud, it is necessary for enterprises to have a complete, platform-driven approach to obtain visibility into cloud apps; communication is essential so that risk and threats can be mitigated and remediated respectively. With the robust requirements listed by upcoming regulations, such as GDPR, the importance of a cloud app security solution cannot be ignored. For combating security breaches and threats in the cloud apps, a robust cloud security solution is the demand of the time to which every organization has to adhere.

Endnotes

¹ Cloud Threat Labs and Symantec CloudSOC, Shadow Data Report, 2016, https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/mar2017/cs2017_0097.pdf
² Korolov, M.; “Google Drive Phishing Is Back With Obfuscation,” CSO, 28 July 2015, https://www.csoonline.com/article/2953190/vulnerabilities/google-drive-phishing-is-back-with-obfuscation.html
³ Franceschi-Bicchierai, L.; “Someone Hit the Internet With a Massive Google Doc Phishing Attack,” Motherboard, 3 May 2017, https://motherboard.vice.com/en_us/article/53nzxa/massive-gmail-google-doc-phishing-email
⁴ Talbot, D.; “Dropbox and Similar Services Can Sync Malware,” MIT Technology Review, 21 August 2013, https://www.technologyreview.com/s/518506/dropbox-and-similar-services-can-sync-malware/
⁵ Sood, A.; “Cloud Storage Apps as Malware Delivery Platforms (MDP): Dissecting Petya Ransomware Distribution via Dropbox,” Symantec Connect, 30 March 2016, https://www.symantec.com/connect/blogs/cloud-storage-apps-malware-delivery-platforms-mdp-dissecting-petya-ransomware-distribution-dro
⁶ Cameron, D.; K. Conger; “GOP Data Firm Accidentally Leaks Personal Details of Nearly 200 Million American Voters,” Gizmodo, 19 June 2017, http://gizmodo.com/gop-data-firm-accidentally-leaks-personal-details-of-ne-1796211612
⁷ Constantin, L.; “Cloud Storage Error Exposes Over Two Million Dow Jones Customer Records,” Forbes, 17 July 2017, https://www.forbes.com/sites/lconstantin/2017/07/17/cloud-storage-error-exposes-over-two-million-dow-jones-customer-records/#17fc5c83199f
⁸ Mimoso, M.; “Office 365 Vulnerability Exposed Any Federated Account,” Threatpost, 28 April 2016, https://threatpost.com/office-365-vulnerability-exposed-any-federated-account/117716/
⁹ Pope, A.; An Essay on Criticism, Part II, UK, 1711
¹⁰ Imperva, Hacker Intelligence Initiative Report: Man in the Cloud Attacks, USA, 2015, https://www.imperva.com/docs/HII_Man_In_The_Cloud_Attacks.pdf
¹¹ EUGDPR.org, “GDPR Portal”
¹² Ashford, W.; “GDPR Fines May Affect Almost 80% of US Firms, Poll Shows,” Computer Weekly, 8 November 2017, www.computerweekly.com/news/450429701/GDPR-fines-may-affect-almost-80-of-US-firms-poll-shows