Uploaded byCloudVillage
PDF, PPTX5,120 views

Phishing in the cloud era

The document discusses the rise of phishing attacks leveraging cloud services, emphasizing how attackers utilize legitimate cloud platforms to disguise malicious activity. It highlights various phishing techniques, including Phishing-as-a-Service (PhaaS) and cloud-based malware distribution, which often exploit default settings and SSL certifications to appear authentic. The conclusion warns organizations about the inherent risks associated with cloud adoption and the need for vigilant security measures to combat these evolving threats.

Embed presentation

Download as PDF, PPTX
Phishing in the cloud era Ashwin Vamshi & Abhinav Singh
❖ Staff Security Research Engineer, Netskope ➢ Innate interest in targeted attacks and malwares using cloud services. ➢ Identifying malwares, campaigns and threat actors using ‘cloud as an attack vector’ Ashwin Vamshi 2
Abhinav Singh ❖ Staff Security Research Engineer, Netskope ➢ Background in Malware research, reverse engineering, incident response and cloud security. ➢ Author and speaker. 3
Agenda 4 Introduction Cloud abuse techniques and case-studies Motivation behind abusing cloud Conclusion
Cloud Adoption Trend 5
Attacks “at the scale of cloud” • Wide-scale adoption of cloud services by cybercriminals with a large upscale around phishing attacks. • The phished baits are designed to mimic login pages of popular cloud services • Phishing attacks hosted in the cloud are highly effective and hard to detect. • Example - Phishing website with a Microsoft domain and a Microsoft- issued SSL certificate, asking for Office 365 credentials. 6
7 BEC- It Still Exists!! Source: Fincen.gov
BEC in the cloud era - Problem statement • Attacks with SSL certificates/Cloud services to appear legitimate. • Tricks corporate users that are savvy enough to check that the domain and SSL certificate of a website is from a trusted origin. • Slow take-downs, fast recovery. 8
1. PhaaS - Phishing as a Service Cloud Abuse techniques
PhaaS - Attack Description • Cloud hosted Phishing-as-a-Service cyber-crime model. • Click, Build & Host. • Flexible plans with wide variety of payment options being accepted. • Additional features like user training, 24/7 customer support and remote monitoring. 10
Hackshit – Case-study 11
Hackshit – Infection Monitoring Page 12 • The phished baits were served with SSL certificates signed by LetsEncrypt or Comodo. • TLD’s: “moe”, “tn”, “cat”, “wtf”, and “space”. • These websites were clones built using a file uploading and sharing platform named Pomf. • Pomf clones not indexed by search engines.
Hackshit – Source Code View 13
Hackshit - Pointers • Recorded the victims credentials via websocket service hosted in the cloud. • Shift of service: Amazon > Evennode > Now. • Takedowns → resurface and reuse attack elements. • Classic example of reusing the same attack elements onto new cloud accounts. 14
15
2. Phishing Attacks Hosted via Public Cloud 16 Abusing popular cloud SaaS, IaaS applications like Google Drive, Dropbox, OneDrive, Azuresites, Googlesites etc. Infection vector Email attachment → Decoy documents Specifically targets corporate users using cloud applications.
17 Malicious PDF Attachments – Case-study
Phish → Microsoft-issued SSL certificate & Microsoft-owned domain 18
Phishing webpage hosted in Azure blob storage 19
3. Cloud Fan-out Effect • Infection spreading through the default Sync-&- Share property of SaaS services. • Use of collaboration tools that automatically sync email attachments to SaaS apps. • Self inflicted propagation of malicious file across the peer network. • Even if unsuccessful- may leave the target vulnerable to future attacks. (Default Allow Policy) 20
CloudPhishing Fan-out – Case Study A victim inadvertently shares the phishing document with colleagues, whether internal or external, via a cloud service. Secondary propagation vector. Shared users lose the context of the document’s external origin and may trust the internally shared document as if it were created internally.
CloudPhishing Fan Out- Case Study 22
Document Decoys - Default Allow Policy & Annotations
Attack Description - Default Allow Policy 24 ABUSES THE “DEFAULT ALLOW” POLICY FOR POPULAR PDF READERS. WARNING FROM PDF VIEWING APPLICATION POINTING TO AN EXTERNAL LINK CONNECTING TO THE CLOUD APPLICATION. FOR LEGITIMATE REASONS. THE NORTH ALWAYS “REMEMBERS”
Case Study - Zoom Zoom!! 25
Case Study II – PDF Annotations 26
Attack Description - PDF Annotations 27 Indicates that the attackers plan to reuse the decoy template by appending new links when the URL is taken down. Annotations mostly carried out using RAD PDF annotator by threat actors. Attack campaign artifacts are simply being reused by the malware author to rapidly adapt to malicious file takedowns.
Targeted attacks abusing Google Cloud Platform Open Redirection
Attack Description • Phishing email containing PDF decoy document which points to Google app engine. • Abuses Google Cloud app engine’s open redirection to deliver malware. • A design weakness that allows the attacker to construct a redirection chain. • The URL redirection case falls under the category of Unvalidated Redirects and Forwards as per OWASP. 29
GCP Open redirection chain The user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. – As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”. – Using this redirection logic, the destination landing page is reached. • These Themed decoys primarily targeted governments, banking and financial firms worldwide via phishing emails sent by the attackers posing as legitimate customers of those institutions.
Motivation behind abusing cloud services 31 Ease of use and abuse. Reduces the infrastructure overhead. Way more powerful than traditional hosting or computing services. Significantly cheaper than traditional attack methods (No DGA or BPH needed). Gives attackers protection by default (encrypted traffic, API driven communication etc).
Conclusion 32 Cloud adoption helps organizations in improving their IT infrastructure and control cost. Its rapid adoption has also caught the attention of cyber criminals who are financially motivated. Cloud Solution Providers (CSP) have adopted the concept of shared responsibility model for securing the workloads. Organizations should carefully assess the risks and potential threats when moving towards the cloud.
https://www.netskope.com/resources/netskope-threat-research-labs 33 Thankyou!! Netskope Threat Research Labs

More Related Content

PPTX
Defcon 27 - Phishing in the Cloud Era
byNetskope
 
PDF
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
PDF
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
PDF
MozDef Workshop slide
byCloudVillage
 
PDF
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
byJose Hernandez
 
PPTX
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
byCloudVillage
 
PDF
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
PPTX
Scaling Security in the Cloud With Open Source
byCloudVillage
 
Defcon 27 - Phishing in the Cloud Era
byNetskope
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
MozDef Workshop slide
byCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
byJose Hernandez
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
byCloudVillage
 
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
Scaling Security in the Cloud With Open Source
byCloudVillage
 

What's hot

PDF
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
PDF
Lacework slides from AWS Meetups
byJohn Varghese
 
PPTX
Are You Ready for a Cloud Pentest?
by2nd Sight Lab
 
PDF
Deception & AWS: Adding Fog to EC2 & S3
byCymmetria
 
PPTX
Lacework Overview: Security Redefined for Cloud Scale
byLacework
 
PPTX
Lacework AWS Security Week Presentation
byLacework
 
PPTX
Defcon 27 - Exploiting IAM in GCP
byNetskope
 
PPTX
Lacework for AWS Security Overview
byLacework
 
PPTX
EKS security best practices
byJohn Varghese
 
PPTX
Lacework | Top 10 Cloud Security Threats
byLacework
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
byLacework
 
PDF
Securing aws workloads with embedded application security
byJohn Varghese
 
PPTX
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
PDF
Pragmatic Cloud Security Automation
byCloudVillage
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
byLacework
 
PPTX
AWS Security Strategy
by2nd Sight Lab
 
PPTX
Of CORS thats a thing how CORS in the cloud still kills security
byJohn Varghese
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
Lacework slides from AWS Meetups
byJohn Varghese
 
Are You Ready for a Cloud Pentest?
by2nd Sight Lab
 
Deception & AWS: Adding Fog to EC2 & S3
byCymmetria
 
Lacework Overview: Security Redefined for Cloud Scale
byLacework
 
Lacework AWS Security Week Presentation
byLacework
 
Defcon 27 - Exploiting IAM in GCP
byNetskope
 
Lacework for AWS Security Overview
byLacework
 
EKS security best practices
byJohn Varghese
 
Lacework | Top 10 Cloud Security Threats
byLacework
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
byLacework
 
Securing aws workloads with embedded application security
byJohn Varghese
 
Automated Intrusion Detection and Response on AWS
by2nd Sight Lab
 
Pragmatic Cloud Security Automation
byCloudVillage
 
Lacework Kubernetes Meetup | August 28, 2018
byLacework
 
AWS Security Strategy
by2nd Sight Lab
 
Of CORS thats a thing how CORS in the cloud still kills security
byJohn Varghese
 

Similar to Phishing in the cloud era

PDF
Phishing in the Cloud Era (BSides)
byNetskope
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PPTX
Netskope Threat Labs: Cloud As an Attack Vector
byNetskope
 
PDF
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
bywerhkr1
 
PDF
CLOUD & ETHICAL HACKING INTRODUCTION PDF
byArunIsaac5
 
PDF
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
PDF
Top 10 Threats to Cloud Security
bySBWebinars
 
PDF
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
byAngelaHoltby
 
PPT
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
PDF
Threats, Threat Modeling and Analysis
byIan G
 
PPTX
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
byCristian Garcia G.
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PDF
MalCon Future of Security
byNetskope
 
DOCX
Cloud Computing Security
byAhmed Banafa
 
PDF
Security in the cloud protecting your cloud apps
byCenzic
 
PDF
Presd1 10
byNiels Groeneveld
 
PDF
Seclud it polesc_sjuly7
bySergio Loureiro
 
PPTX
CloudPassage Overview
byCloudPassage
 
PDF
Openbar Leuven // Safety first... in the Cloud by Koen Jacobs
byOpenbar
 
PPTX
Breakfast Briefings - February 2018
byPKF Francis Clark
 
Phishing in the Cloud Era (BSides)
byNetskope
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Netskope Threat Labs: Cloud As an Attack Vector
byNetskope
 
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
bywerhkr1
 
CLOUD & ETHICAL HACKING INTRODUCTION PDF
byArunIsaac5
 
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
Top 10 Threats to Cloud Security
bySBWebinars
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
byAngelaHoltby
 
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
Threats, Threat Modeling and Analysis
byIan G
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
byCristian Garcia G.
 
Top Application Security Trends of 2012
byDaveEdwards12
 
MalCon Future of Security
byNetskope
 
Cloud Computing Security
byAhmed Banafa
 
Security in the cloud protecting your cloud apps
byCenzic
 
Presd1 10
byNiels Groeneveld
 
Seclud it polesc_sjuly7
bySergio Loureiro
 
CloudPassage Overview
byCloudPassage
 
Openbar Leuven // Safety first... in the Cloud by Koen Jacobs
byOpenbar
 
Breakfast Briefings - February 2018
byPKF Francis Clark
 

Recently uploaded

PDF
Prospective TIA Challenges and Enhancements
byM Maged Hegazy, LLM, MBA, CCP, P3O
 
PDF
I am sharing 'AI in power station ' with you - Hari A K.pdf
bypugalaiml123
 
PDF
Layer 1 Blockchain Ecosystem — Executive Brief (Jan 2026)
byGarima Singh
 
PDF
LSI_Logic_Design_Chapter_1_for_computer_engineer.pdf
bykumathong
 
PDF
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
PDF
lecture on Microprocessor: 8288 bus controller
bysandeshupadhayay989
 
PDF
RESULTADOS_SIMULACRO_PRECOAR_SB_14_12.pdf
bychiricatora
 
PPTX
22PEOIT4C Session 11 Min Max Algorithm.pptx
byGuru Nanak Technical Institutions
 
PPTX
TR334_Foundation_Engineering_I_Slope stability _i.pptx
byalexander402774
 
PPT
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
PPTX
GROUND BASED SENSOR it in agriculture system
bycmuthupriya
 
PPTX
PQ CHP-2 is about passive pq problems and
bySureshEtukuriE1
 
PPTX
22PEOIT4C Session 10 Adversarial Search.pptx
byGuru Nanak Technical Institutions
 
PDF
BO049FHDMO 0.49 Inch Micro OLED Datasheet
bySyluxdisplay
 
PPTX
AI-Module1..pptx module 1 Introduction to Ai
bydeekshithkumark66
 
PPTX
ML Unit - III__________________________________________________.pptx
byvuresting6268
 
PPTX
GAS FLOW ANALYZER gas flow analyser mnachine
byanantcyrix
 
PPTX
NAGASHASTRA loitering munition missile.pptx
byprakharyash2000
 
PPTX
Semiconductor diodes ppt and also characteristics
bynivishnasece
 
PPTX
mod 2 properties of fresh and haredened .pptx
bytkmmullonkal
 
Prospective TIA Challenges and Enhancements
byM Maged Hegazy, LLM, MBA, CCP, P3O
 
I am sharing 'AI in power station ' with you - Hari A K.pdf
bypugalaiml123
 
Layer 1 Blockchain Ecosystem — Executive Brief (Jan 2026)
byGarima Singh
 
LSI_Logic_Design_Chapter_1_for_computer_engineer.pdf
bykumathong
 
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
lecture on Microprocessor: 8288 bus controller
bysandeshupadhayay989
 
RESULTADOS_SIMULACRO_PRECOAR_SB_14_12.pdf
bychiricatora
 
22PEOIT4C Session 11 Min Max Algorithm.pptx
byGuru Nanak Technical Institutions
 
TR334_Foundation_Engineering_I_Slope stability _i.pptx
byalexander402774
 
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
GROUND BASED SENSOR it in agriculture system
bycmuthupriya
 
PQ CHP-2 is about passive pq problems and
bySureshEtukuriE1
 
22PEOIT4C Session 10 Adversarial Search.pptx
byGuru Nanak Technical Institutions
 
BO049FHDMO 0.49 Inch Micro OLED Datasheet
bySyluxdisplay
 
AI-Module1..pptx module 1 Introduction to Ai
bydeekshithkumark66
 
ML Unit - III__________________________________________________.pptx
byvuresting6268
 
GAS FLOW ANALYZER gas flow analyser mnachine
byanantcyrix
 
NAGASHASTRA loitering munition missile.pptx
byprakharyash2000
 
Semiconductor diodes ppt and also characteristics
bynivishnasece
 
mod 2 properties of fresh and haredened .pptx
bytkmmullonkal
 

Phishing in the cloud era

  • 1.
    Phishing in the cloudera Ashwin Vamshi & Abhinav Singh
  • 2.
    ❖ Staff SecurityResearch Engineer, Netskope ➢ Innate interest in targeted attacks and malwares using cloud services. ➢ Identifying malwares, campaigns and threat actors using ‘cloud as an attack vector’ Ashwin Vamshi 2
  • 3.
    Abhinav Singh ❖ StaffSecurity Research Engineer, Netskope ➢ Background in Malware research, reverse engineering, incident response and cloud security. ➢ Author and speaker. 3
  • 4.
  • 5.
  • 6.
    Attacks “at thescale of cloud” • Wide-scale adoption of cloud services by cybercriminals with a large upscale around phishing attacks. • The phished baits are designed to mimic login pages of popular cloud services • Phishing attacks hosted in the cloud are highly effective and hard to detect. • Example - Phishing website with a Microsoft domain and a Microsoft- issued SSL certificate, asking for Office 365 credentials. 6
  • 7.
    7 BEC- It StillExists!! Source: Fincen.gov
  • 8.
    BEC in thecloud era - Problem statement • Attacks with SSL certificates/Cloud services to appear legitimate. • Tricks corporate users that are savvy enough to check that the domain and SSL certificate of a website is from a trusted origin. • Slow take-downs, fast recovery. 8
  • 9.
    1. PhaaS -Phishing as a Service Cloud Abuse techniques
  • 10.
    PhaaS - AttackDescription • Cloud hosted Phishing-as-a-Service cyber-crime model. • Click, Build & Host. • Flexible plans with wide variety of payment options being accepted. • Additional features like user training, 24/7 customer support and remote monitoring. 10
  • 11.
  • 12.
    Hackshit – InfectionMonitoring Page 12 • The phished baits were served with SSL certificates signed by LetsEncrypt or Comodo. • TLD’s: “moe”, “tn”, “cat”, “wtf”, and “space”. • These websites were clones built using a file uploading and sharing platform named Pomf. • Pomf clones not indexed by search engines.
  • 13.
    Hackshit – SourceCode View 13
  • 14.
    Hackshit - Pointers •Recorded the victims credentials via websocket service hosted in the cloud. • Shift of service: Amazon > Evennode > Now. • Takedowns → resurface and reuse attack elements. • Classic example of reusing the same attack elements onto new cloud accounts. 14
  • 15.
  • 16.
    2. Phishing AttacksHosted via Public Cloud 16 Abusing popular cloud SaaS, IaaS applications like Google Drive, Dropbox, OneDrive, Azuresites, Googlesites etc. Infection vector Email attachment → Decoy documents Specifically targets corporate users using cloud applications.
  • 17.
  • 18.
    Phish → Microsoft-issuedSSL certificate & Microsoft-owned domain 18
  • 19.
    Phishing webpage hostedin Azure blob storage 19
  • 20.
    3. Cloud Fan-out Effect •Infection spreading through the default Sync-&- Share property of SaaS services. • Use of collaboration tools that automatically sync email attachments to SaaS apps. • Self inflicted propagation of malicious file across the peer network. • Even if unsuccessful- may leave the target vulnerable to future attacks. (Default Allow Policy) 20
  • 21.
    CloudPhishing Fan-out –Case Study A victim inadvertently shares the phishing document with colleagues, whether internal or external, via a cloud service. Secondary propagation vector. Shared users lose the context of the document’s external origin and may trust the internally shared document as if it were created internally.
  • 22.
  • 23.
    Document Decoys -Default Allow Policy & Annotations
  • 24.
    Attack Description -Default Allow Policy 24 ABUSES THE “DEFAULT ALLOW” POLICY FOR POPULAR PDF READERS. WARNING FROM PDF VIEWING APPLICATION POINTING TO AN EXTERNAL LINK CONNECTING TO THE CLOUD APPLICATION. FOR LEGITIMATE REASONS. THE NORTH ALWAYS “REMEMBERS”
  • 25.
    Case Study -Zoom Zoom!! 25
  • 26.
    Case Study II– PDF Annotations 26
  • 27.
    Attack Description -PDF Annotations 27 Indicates that the attackers plan to reuse the decoy template by appending new links when the URL is taken down. Annotations mostly carried out using RAD PDF annotator by threat actors. Attack campaign artifacts are simply being reused by the malware author to rapidly adapt to malicious file takedowns.
  • 28.
    Targeted attacks abusingGoogle Cloud Platform Open Redirection
  • 29.
    Attack Description • Phishingemail containing PDF decoy document which points to Google app engine. • Abuses Google Cloud app engine’s open redirection to deliver malware. • A design weakness that allows the attacker to construct a redirection chain. • The URL redirection case falls under the category of Unvalidated Redirects and Forwards as per OWASP. 29
  • 30.
    GCP Open redirectionchain The user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. – As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”. – Using this redirection logic, the destination landing page is reached. • These Themed decoys primarily targeted governments, banking and financial firms worldwide via phishing emails sent by the attackers posing as legitimate customers of those institutions.
  • 31.
    Motivation behind abusing cloud services 31 Ease of useand abuse. Reduces the infrastructure overhead. Way more powerful than traditional hosting or computing services. Significantly cheaper than traditional attack methods (No DGA or BPH needed). Gives attackers protection by default (encrypted traffic, API driven communication etc).
  • 32.
    Conclusion 32 Cloud adoption helpsorganizations in improving their IT infrastructure and control cost. Its rapid adoption has also caught the attention of cyber criminals who are financially motivated. Cloud Solution Providers (CSP) have adopted the concept of shared responsibility model for securing the workloads. Organizations should carefully assess the risks and potential threats when moving towards the cloud.
  • 33.