Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your...
Transcript of Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your...
SESSION ID:SESSION ID:
#RSAC
Abhinav Singh
Malware-as-a-Service – When Your Cloud Begins to Rain Malwares!
TTA – R03
Cloud Security ResearchNetskope Inc.
#RSAC
About Netskope
2
‣ 350+ employees globally, including North America, Europe, and Asia-Pacific
‣ Early distinguished architects from large traditional security companies
‣ First comprehensive CASB patent. 45+ patent claims across four categories, with 100s of patents pending
‣ The world’s largest bank, automaker, pharmaceutical, payment processor, consulting firm, insurance, energy, oil and gas, retail and healthcare companies trust Netskope.
#RSAC
Agenda
3
Malware in the cloud – myth or reality?
Brief History of Malware campaigns utilizing cloud services
Generic Cloud threats like Malware “Fan-out” effect and
“Man-in-the-cloud”.
Detailed analysis of cloud based malware campaigns
Adoption of service based models by cyber criminals
Recommended Actions
#RSAC
4
#RSAC
5
What is malware doing in the Cloud?
File Infrastructure
SaaS
IaaS
SaaS + IaaS
PaaS
#RSAC
6
cute-Ransomware
(7/12/16)
Zepto(Locky variant)
(7/16/16)
URSNIFData Theft
(8/2/16)
VirlockRansomware
(9/27/16)
CloudSquirrel(7/15/16)
Zepto Deliveredvia DLL
(9/9/16)
CloudFanta(10/18/16)
NitolBotnet
(10/14/16)
CerberRansomware
(6/30/16)
Cloud Based Malware Timeline
Virlock’sResurgence(1/30/17)
Ransomware +Click Fraud(1/30/17)
New Variantsof Locky
(12/15/16)
Cloud Phishing(1/18/17)
Cloud CRM Attack Vector(2/09/2017)
Targeted Attack Campaign
with Multivariatemalwares
(3/08/2017)
Godzilla BotnetAnalysis
(4/07/2017)
Google DocCloudPhishing(5/04/2017)
#RSAC
Generic Cloud threat Concepts
7
Malware “fan-out” effect.
Man-in-the-cloud (MITC)
#RSAC
Malware “fan-out” Effect in an Enterprise Cloud
#RSAC
Man-in-the-cloud Affecting cloud Applications
9
Token A Token B
#RSAC
CloudSquirrel Malware Campaign CloudFanta Malware Campaign
Malware Campaigns utilizing the Cloud
#RSAC
Brief Technical Analysis
CloudSquirrel CloudFanta
#RSAC
Phishing In the Cloud
12
File decoys hosted in the cloud
Documents used for phishing attacks
against popular cloud applications.
#RSAC
CloudPhishing
13
#RSAC
Ransomware with Benefits!
Ransomware attacks with blended threats.
Cloud Sharing & Collaboration turn it into an
elevated threat.
Encrypts files and also infects same files
14
Polymorphic Code
Malware Code
Clean Code
Polymorphic Code
Ransomware Blended Threats
Wormed Ransomwares
#RSAC
15
• Rapidly the entire peer network is infected
• Many collaborative files are infected and encrypted many times.
• Many ransoms to be paid, perhaps a bulk discount can be negotiated?
#RSAC
Advance Malware Families utilizing the Cloud
16
Carbanak Banking Trojan
Inception Framework
#RSAC
Carbanak Banking Trojan APT
17
Group of financially motivated cyber criminals, first seen in 2015.
Hides in plain sight.
Uses Google App script, Google sheet and Google forms service to build a command and control service.
#RSAC
18
Request for UUID11Check for the existence of
Google Sheet for the unique ID
Create
Found
Read the Google Sheet content for
Commands to Execute
Read the Google Sheet content for
Commands to Execute
Write
Carbanak Banking Trojan APT
#RSAC
Inception Framework (Cloud Hosted APT)
19
Initially targeted at Russia, but expanding globally
Clean and elegant code suggesting strong backing and top-tier talent.
Includes malware targeting mobile devices: Android, Blackberry and iOS.
Using a free cloud hosting service based in Sweden for command and control.
#RSAC
Service Based Models adopted by Cyber Criminals
• Has been around since early 2012.
• Major dealers include exploit kit sellers, botnet controllers and click fraud operators.
• Current portfolio includes:• Ransomware-as-a-Service(RaaS)• Phishing-as-a-Service(PhaaS) • Crimeware-as-a-Service
#RSAC
21
#RSAC
22
MaaS PaaS
#RSAC
How to detect Malwares propagating through Cloud
#RSAC
Recommended Actions (“Apply”)
24
Detect and remediate all threats at rest in sanctioned cloud services.
Detect and remediate all threats being downloaded from unsanctioned cloud services.
enforce policy on usage of unsanctioned applications as well as unsanctioned instances of sanctioned cloud applications.
Enforce DLP policies to control files and data en route to or from your corporate environment.
Regularly back up and turn on versioning for critical content in cloud services.
Need to track both managed as well as unmanaged devices accessing the cloud services.
#RSAC
Thank You!
M.Tech Booth #D02