SlideShare a Scribd company logo
1 of 33
Download to read offline
Phishing in
the cloud era
Ashwin Vamshi &
Abhinav Singh
❖ Staff Security Research Engineer,
Netskope
➢ Innate interest in targeted attacks and
malwares using cloud services.
➢ Identifying malwares, campaigns and threat
actors using ‘cloud as an attack vector’
Ashwin Vamshi
2
Abhinav Singh
❖ Staff Security Research Engineer, Netskope
➢ Background in Malware research, reverse engineering,
incident response and cloud security.
➢ Author and speaker.
3
Agenda
4
Introduction
Cloud abuse
techniques and
case-studies
Motivation behind
abusing cloud
Conclusion
Cloud Adoption Trend
5
Attacks “at the scale of cloud”
• Wide-scale adoption of cloud services by cybercriminals with a large
upscale around phishing attacks.
• The phished baits are designed to mimic login pages of popular cloud
services
• Phishing attacks hosted in the cloud are highly effective and hard to
detect.
• Example - Phishing website with a Microsoft domain and a Microsoft-
issued SSL certificate, asking for Office 365 credentials.
6
7
BEC- It Still Exists!!
Source: Fincen.gov
BEC in the cloud era - Problem statement
• Attacks with SSL certificates/Cloud services to
appear legitimate.
• Tricks corporate users that are savvy enough
to check that the domain and SSL certificate
of a website is from a trusted origin.
• Slow take-downs, fast recovery.
8
1. PhaaS - Phishing as a Service
Cloud Abuse techniques
PhaaS - Attack Description
• Cloud hosted Phishing-as-a-Service cyber-crime model.
• Click, Build & Host.
• Flexible plans with wide variety of payment options being
accepted.
• Additional features like user training, 24/7 customer
support and remote monitoring.
10
Hackshit – Case-study
11
Hackshit – Infection Monitoring Page
12
• The phished baits were served with SSL
certificates signed by LetsEncrypt or Comodo.
• TLD’s: “moe”, “tn”, “cat”, “wtf”, and “space”.
• These websites were clones built using a file
uploading and sharing platform named Pomf.
• Pomf clones not indexed by search engines.
Hackshit – Source Code View
13
Hackshit - Pointers
• Recorded the victims credentials via websocket
service hosted in the cloud.
• Shift of service: Amazon > Evennode > Now.
• Takedowns → resurface and reuse attack elements.
• Classic example of reusing the same attack elements
onto new cloud accounts.
14
15
2. Phishing Attacks Hosted via Public Cloud
16
Abusing popular cloud SaaS, IaaS applications like Google
Drive, Dropbox, OneDrive, Azuresites, Googlesites etc.
Infection vector Email attachment → Decoy documents
Specifically targets corporate users using cloud
applications.
17
Malicious PDF Attachments – Case-study
Phish → Microsoft-issued SSL certificate &
Microsoft-owned domain
18
Phishing webpage hosted in Azure blob storage
19
3. Cloud Fan-out
Effect
• Infection spreading through the default Sync-&-
Share property of SaaS services.
• Use of collaboration tools that automatically sync
email attachments to SaaS apps.
• Self inflicted propagation of malicious file across
the peer network.
• Even if unsuccessful- may leave the target
vulnerable to future attacks. (Default Allow Policy)
20
CloudPhishing Fan-out – Case Study
A victim inadvertently shares the phishing
document with colleagues, whether
internal or external, via a cloud service.
Secondary propagation vector.
Shared users lose the context of the document’s external origin and may trust the
internally shared document as if it were created internally.
CloudPhishing Fan Out- Case Study
22
Document Decoys - Default Allow Policy
&
Annotations
Attack Description - Default Allow Policy
24
ABUSES THE “DEFAULT ALLOW” POLICY
FOR POPULAR PDF READERS.
WARNING FROM PDF VIEWING
APPLICATION POINTING TO AN
EXTERNAL LINK CONNECTING TO THE
CLOUD APPLICATION. FOR LEGITIMATE
REASONS.
THE NORTH ALWAYS “REMEMBERS”
Case Study - Zoom Zoom!!
25
Case Study II – PDF Annotations
26
Attack Description - PDF Annotations
27
Indicates that the attackers plan to reuse the decoy template by
appending new links when the URL is taken down.
Annotations mostly carried out using RAD PDF annotator by
threat actors.
Attack campaign artifacts are simply being reused by the
malware author to rapidly adapt to malicious file takedowns.
Targeted attacks abusing Google Cloud
Platform Open Redirection
Attack Description
• Phishing email containing PDF decoy
document which points to Google
app engine.
• Abuses Google Cloud app engine’s
open redirection to deliver malware.
• A design weakness that allows
the attacker to construct a
redirection chain.
• The URL redirection case falls
under the category of
Unvalidated Redirects and
Forwards as per OWASP.
29
GCP Open redirection chain
The user is logged out from appengine.google.com
and a response status code ‘302’ is generated for
URL redirection.
– As this action gets executed, the user is in
turn redirected to google.com/url using the
query “?continue=”.
– Using this redirection logic, the destination
landing page is reached.
• These Themed decoys primarily targeted
governments, banking and financial firms
worldwide via phishing emails sent by the
attackers posing as legitimate customers of
those institutions.
Motivation
behind
abusing
cloud
services
31
Ease of use and abuse.
Reduces the infrastructure overhead.
Way more powerful than traditional hosting or
computing services.
Significantly cheaper than traditional attack
methods (No DGA or BPH needed).
Gives attackers protection by default (encrypted
traffic, API driven communication etc).
Conclusion
32
Cloud adoption helps organizations in
improving their IT infrastructure and control
cost.
Its rapid adoption has also caught the
attention of cyber criminals who are
financially motivated.
Cloud Solution Providers (CSP) have adopted
the concept of shared responsibility model for
securing the workloads.
Organizations should carefully assess the risks
and potential threats when moving towards
the cloud.
https://www.netskope.com/resources/netskope-threat-research-labs
33
Thankyou!!
Netskope Threat Research Labs

More Related Content

What's hot

Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Cymmetria
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationCloudVillage
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security OverviewLacework
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS MeetupsJohn Varghese
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPNetskope
 
EKS security best practices
EKS security best practicesEKS security best practices
EKS security best practicesJohn Varghese
 

What's hot (20)

Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security Automation
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDoc
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security Overview
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
 
EKS security best practices
EKS security best practicesEKS security best practices
EKS security best practices
 

Similar to Phishing in the cloud era

Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Netskope
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Unit 4 -Cloud Computing and security
Unit 4 -Cloud Computing and securityUnit 4 -Cloud Computing and security
Unit 4 -Cloud Computing and securityMonishaNehkal
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study:  Q2 2014 Global DDoS Attack Report | Akamai  DocumentCase Study:  Q2 2014 Global DDoS Attack Report | Akamai  Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentProlexic
 
Maturing Your Organization from DevOps to DevSecOps
Maturing Your Organization from DevOps to DevSecOpsMaturing Your Organization from DevOps to DevSecOps
Maturing Your Organization from DevOps to DevSecOpsAmazon Web Services
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveBenedek Menesi
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 

Similar to Phishing in the cloud era (20)

Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Unit 4 -Cloud Computing and security
Unit 4 -Cloud Computing and securityUnit 4 -Cloud Computing and security
Unit 4 -Cloud Computing and security
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack Vector
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study:  Q2 2014 Global DDoS Attack Report | Akamai  DocumentCase Study:  Q2 2014 Global DDoS Attack Report | Akamai  Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Maturing Your Organization from DevOps to DevSecOps
Maturing Your Organization from DevOps to DevSecOpsMaturing Your Organization from DevOps to DevSecOps
Maturing Your Organization from DevOps to DevSecOps
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
 
GRC Dynamics in Securing Cloud
GRC Dynamics in Securing CloudGRC Dynamics in Securing Cloud
GRC Dynamics in Securing Cloud
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
 

Recently uploaded

Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptNarmatha D
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...Amil Baba Dawood bangali
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptJasonTagapanGulla
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 

Recently uploaded (20)

young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.ppt
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Solving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.pptSolving The Right Triangles PowerPoint 2.ppt
Solving The Right Triangles PowerPoint 2.ppt
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes  examplesPOWER SYSTEMS-1 Complete notes  examples
POWER SYSTEMS-1 Complete notes examples
 

Phishing in the cloud era

  • 1. Phishing in the cloud era Ashwin Vamshi & Abhinav Singh
  • 2. ❖ Staff Security Research Engineer, Netskope ➢ Innate interest in targeted attacks and malwares using cloud services. ➢ Identifying malwares, campaigns and threat actors using ‘cloud as an attack vector’ Ashwin Vamshi 2
  • 3. Abhinav Singh ❖ Staff Security Research Engineer, Netskope ➢ Background in Malware research, reverse engineering, incident response and cloud security. ➢ Author and speaker. 3
  • 6. Attacks “at the scale of cloud” • Wide-scale adoption of cloud services by cybercriminals with a large upscale around phishing attacks. • The phished baits are designed to mimic login pages of popular cloud services • Phishing attacks hosted in the cloud are highly effective and hard to detect. • Example - Phishing website with a Microsoft domain and a Microsoft- issued SSL certificate, asking for Office 365 credentials. 6
  • 7. 7 BEC- It Still Exists!! Source: Fincen.gov
  • 8. BEC in the cloud era - Problem statement • Attacks with SSL certificates/Cloud services to appear legitimate. • Tricks corporate users that are savvy enough to check that the domain and SSL certificate of a website is from a trusted origin. • Slow take-downs, fast recovery. 8
  • 9. 1. PhaaS - Phishing as a Service Cloud Abuse techniques
  • 10. PhaaS - Attack Description • Cloud hosted Phishing-as-a-Service cyber-crime model. • Click, Build & Host. • Flexible plans with wide variety of payment options being accepted. • Additional features like user training, 24/7 customer support and remote monitoring. 10
  • 12. Hackshit – Infection Monitoring Page 12 • The phished baits were served with SSL certificates signed by LetsEncrypt or Comodo. • TLD’s: “moe”, “tn”, “cat”, “wtf”, and “space”. • These websites were clones built using a file uploading and sharing platform named Pomf. • Pomf clones not indexed by search engines.
  • 13. Hackshit – Source Code View 13
  • 14. Hackshit - Pointers • Recorded the victims credentials via websocket service hosted in the cloud. • Shift of service: Amazon > Evennode > Now. • Takedowns → resurface and reuse attack elements. • Classic example of reusing the same attack elements onto new cloud accounts. 14
  • 15. 15
  • 16. 2. Phishing Attacks Hosted via Public Cloud 16 Abusing popular cloud SaaS, IaaS applications like Google Drive, Dropbox, OneDrive, Azuresites, Googlesites etc. Infection vector Email attachment → Decoy documents Specifically targets corporate users using cloud applications.
  • 18. Phish → Microsoft-issued SSL certificate & Microsoft-owned domain 18
  • 19. Phishing webpage hosted in Azure blob storage 19
  • 20. 3. Cloud Fan-out Effect • Infection spreading through the default Sync-&- Share property of SaaS services. • Use of collaboration tools that automatically sync email attachments to SaaS apps. • Self inflicted propagation of malicious file across the peer network. • Even if unsuccessful- may leave the target vulnerable to future attacks. (Default Allow Policy) 20
  • 21. CloudPhishing Fan-out – Case Study A victim inadvertently shares the phishing document with colleagues, whether internal or external, via a cloud service. Secondary propagation vector. Shared users lose the context of the document’s external origin and may trust the internally shared document as if it were created internally.
  • 22. CloudPhishing Fan Out- Case Study 22
  • 23. Document Decoys - Default Allow Policy & Annotations
  • 24. Attack Description - Default Allow Policy 24 ABUSES THE “DEFAULT ALLOW” POLICY FOR POPULAR PDF READERS. WARNING FROM PDF VIEWING APPLICATION POINTING TO AN EXTERNAL LINK CONNECTING TO THE CLOUD APPLICATION. FOR LEGITIMATE REASONS. THE NORTH ALWAYS “REMEMBERS”
  • 25. Case Study - Zoom Zoom!! 25
  • 26. Case Study II – PDF Annotations 26
  • 27. Attack Description - PDF Annotations 27 Indicates that the attackers plan to reuse the decoy template by appending new links when the URL is taken down. Annotations mostly carried out using RAD PDF annotator by threat actors. Attack campaign artifacts are simply being reused by the malware author to rapidly adapt to malicious file takedowns.
  • 28. Targeted attacks abusing Google Cloud Platform Open Redirection
  • 29. Attack Description • Phishing email containing PDF decoy document which points to Google app engine. • Abuses Google Cloud app engine’s open redirection to deliver malware. • A design weakness that allows the attacker to construct a redirection chain. • The URL redirection case falls under the category of Unvalidated Redirects and Forwards as per OWASP. 29
  • 30. GCP Open redirection chain The user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. – As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”. – Using this redirection logic, the destination landing page is reached. • These Themed decoys primarily targeted governments, banking and financial firms worldwide via phishing emails sent by the attackers posing as legitimate customers of those institutions.
  • 31. Motivation behind abusing cloud services 31 Ease of use and abuse. Reduces the infrastructure overhead. Way more powerful than traditional hosting or computing services. Significantly cheaper than traditional attack methods (No DGA or BPH needed). Gives attackers protection by default (encrypted traffic, API driven communication etc).
  • 32. Conclusion 32 Cloud adoption helps organizations in improving their IT infrastructure and control cost. Its rapid adoption has also caught the attention of cyber criminals who are financially motivated. Cloud Solution Providers (CSP) have adopted the concept of shared responsibility model for securing the workloads. Organizations should carefully assess the risks and potential threats when moving towards the cloud.