SlideShare ist ein Scribd-Unternehmen logo

Defcon 27 - Phishing in the Cloud Era

Als PPTX, PDF herunterladen
Netskope
Netskope

Defcon 27 talk

Technologie
1 von 33
Phishing in the cloud era Ashwin Vamshi & Abhinav Singh
❖ Staff Security Research Engineer, Netskope ➢ Innate interest in targeted attacks and malwares using cloud services. ➢ Identifying malwares, campaigns and threat actors using ‘cloud as an attack vector’ Ashwin Vamshi 2
Abhinav Singh ❖ Staff Security Research Engineer, Netskope ➢ Background in Malware research, reverse engineering, incident response and cloud security. ➢ Author and speaker. 3
Agenda 4 Introduction Cloud abuse techniques and case-studies Motivation behind abusing cloud Conclusion
Cloud Adoption Trend 5
Attacks “at the scale of cloud” • Wide-scale adoption of cloud services by cybercriminals with a large upscale around phishing attacks. • The phished baits are designed to mimic login pages of popular cloud services • Phishing attacks hosted in the cloud are highly effective and hard to detect. • Example - Phishing website with a Microsoft domain and a Microsoft- issued SSL certificate, asking for Office 365 credentials. 6
7 BEC- It Still Exists!! Source: Fincen.gov
BEC in the cloud era - Problem statement • Attacks with SSL certificates/Cloud services to appear legitimate. • Tricks corporate users that are savvy enough to check that the domain and SSL certificate of a website is from a trusted origin. • Slow take-downs, fast recovery. 8
1. PhaaS - Phishing as a Service Cloud Abuse techniques
PhaaS - Attack Description • Cloud hosted Phishing-as-a-Service cyber-crime model. • Click, Build & Host. • Flexible plans with wide variety of payment options being accepted. • Additional features like user training, 24/7 customer support and remote monitoring. 10
Hackshit – Case-study 11
Hackshit – Infection Monitoring Page 12 • The phished baits were served with SSL certificates signed by LetsEncrypt or Comodo. • TLD’s: “moe”, “tn”, “cat”, “wtf”, and “space”. • Websites were built using a file uploading and sharing platform named Pomf. • Pomf clones not indexed by search engines.
Hackshit – Source Code View 13
Hackshit - Pointers • Recorded the victims credentials via websocket service hosted in the cloud. • Shift of service: Amazon > Evennode > Now. • Takedowns → resurface and reuse attack elements. • Classic example of reusing the same attack elements onto new cloud accounts. 14
15
2. Phishing Attacks Hosted via Public Cloud 16 Abusing popular cloud SaaS, IaaS applications like Google Drive, Dropbox, OneDrive, Azuresites, Googlesites etc. Infection vector Email attachment → Decoy documents Specifically targets corporate users using cloud applications.
17 Malicious PDF Attachments – Case-study
Phish → Microsoft-issued SSL certificate & Microsoft-owned domain 18
Phishing webpage hosted in Azure blob storage 19
3. Cloud Fan-out Effect • Infection spreading through the default Sync-&- Share property of SaaS services. • Use of collaboration tools that automatically sync email attachments to SaaS apps. • Self inflicted propagation of malicious file across the peer network. • Even if unsuccessful- may leave the target vulnerable to future attacks. (Default Allow Policy) 20
CloudPhishing Fan-out – Case Study A victim inadvertently shares the phishing document with colleagues, whether internal or external, via a cloud service. Secondary propagation vector. Shared users lose the context of the document’s external origin and may trust the internally shared document as if it were created internally.
CloudPhishing Fan Out- Case Study 22
Document Decoys - Default Allow Policy & Annotations
Attack Description - Default Allow Policy 24 ABUSES THE “DEFAULT ALLOW” POLICY FOR POPULAR PDF READERS. WARNING FROM PDF VIEWING APPLICATION POINTING TO AN EXTERNAL LINK CONNECTING TO THE CLOUD APPLICATION. FOR LEGITIMATE REASONS. THE NORTH ALWAYS “REMEMBERS”
Case Study - Zoom Zoom!! 25
Case Study II – PDF Annotations 26
Attack Description - PDF Annotations 27 Indicates that the attackers plan to reuse the decoy template by appending new links when the URL is taken down. Annotations mostly carried out using RAD PDF annotator by threat actors. Attack campaign artifacts are simply being reused by the malware author to rapidly adapt to malicious file takedowns.
Targeted attacks abusing Google Cloud Platform Open Redirection
Attack Description • Phishing email containing PDF decoy document which points to Google app engine. • Abuses Google Cloud app engine’s open redirection to deliver malware. • A design weakness that allows the attacker to construct a redirection chain. • The URL redirection case falls under the category of Unvalidated Redirects and Forwards as per OWASP. 29
GCP Open redirection chain The user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. – As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”. – Using this redirection logic, the destination landing page is reached. • These Themed decoys primarily targeted governments, banking and financial firms worldwide via phishing emails sent by the attackers posing as legitimate customers of those institutions.
Motivation behind abusing cloud services 31 Ease of use and abuse. Reduces the infrastructure overhead. Way more powerful than traditional hosting or computing services. Significantly cheaper than traditional attack methods (No DGA or BPH needed). Gives attackers protection by default (encrypted traffic, API driven communication etc).
Conclusion 32 Cloud adoption helps organizations in improving their IT infrastructure and control cost. Its rapid adoption has also caught the attention of cyber criminals who are financially motivated. Cloud Solution Providers (CSP) have adopted the concept of shared responsibility model for securing the workloads. Organizations should carefully assess the risks and potential threats when moving towards the cloud.
https://www.netskope.com/resources/netskope-threat-research-labs 33 Thankyou!! Netskope Threat Research Labs

Empfohlen

Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
Netskope
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and Control
Netskope
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
Netskope
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
Netskope
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
Netskope
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
Lacework
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 

Empfohlen

Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
Netskope
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and Control
Netskope
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
Netskope
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
Netskope
 
Defcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCPDefcon 27 - Exploiting IAM in GCP
Defcon 27 - Exploiting IAM in GCP
Netskope
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
Lacework
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
CloudVillage
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security Overview
Lacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS Security
CloudLock
 
Cybersecurity-Serverless-Graph DB
Cybersecurity-Serverless-Graph DBCybersecurity-Serverless-Graph DB
Cybersecurity-Serverless-Graph DB
Sukumar Nayak
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
Priyanka Aash
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
John Varghese
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare data
Cloudflare
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the Hype
JoAnna Cheshire
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
Bitglass
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
Greg Foss
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
Mark Garratt
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
Cybersecurity-Serverless-Graph DB
Cybersecurity-Serverless-Graph DBCybersecurity-Serverless-Graph DB
Cybersecurity-Serverless-Graph DB
Sukumar Nayak
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
Bitglass
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
Greg Foss
 

Was ist angesagt? (20)

MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security Overview
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS Security
 
Cybersecurity-Serverless-Graph DB
Cybersecurity-Serverless-Graph DBCybersecurity-Serverless-Graph DB
Cybersecurity-Serverless-Graph DB
 
From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of Monitoring
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
 
Application layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare dataApplication layer attack trends through the lens of Cloudflare data
Application layer attack trends through the lens of Cloudflare data
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the Hype
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
 
Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 

Ähnlich wie Defcon 27 - Phishing in the Cloud Era

Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
Benedek Menesi
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
panagenda
 

Ähnlich wie Defcon 27 - Phishing in the Cloud Era (20)

Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Unit 4 -Cloud Computing and security
Unit 4 -Cloud Computing and securityUnit 4 -Cloud Computing and security
Unit 4 -Cloud Computing and security
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack Vector
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai DocumentCase Study: Q2 2014 Global DDoS Attack Report | Akamai Document
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
GRC Dynamics in Securing Cloud
GRC Dynamics in Securing CloudGRC Dynamics in Securing Cloud
GRC Dynamics in Securing Cloud
 
Maturing Your Organization from DevOps to DevSecOps
Maturing Your Organization from DevOps to DevSecOpsMaturing Your Organization from DevOps to DevSecOps
Maturing Your Organization from DevOps to DevSecOps
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
 

Mehr von Netskope

The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - Presentation
Netskope
 
June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report
Netskope
 
June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report
Netskope
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Netskope
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Netskope
 
Cloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity EditionCloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity Edition
Netskope
 
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Netskope
 
Making Cloud Security Part of Your DNA Webinar Slides
Making Cloud Security Part of Your DNA Webinar SlidesMaking Cloud Security Part of Your DNA Webinar Slides
Making Cloud Security Part of Your DNA Webinar Slides
Netskope
 
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own DevicesForrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Netskope
 

Mehr von Netskope (20)

Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
MalCon Future of Security
MalCon Future of SecurityMalCon Future of Security
MalCon Future of Security
 
DEF CON 27 - Exploiting AWS Loopholes
DEF CON 27 - Exploiting AWS LoopholesDEF CON 27 - Exploiting AWS Loopholes
DEF CON 27 - Exploiting AWS Loopholes
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - Presentation
 
June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report
 
June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
 
Quantifying Cloud Risk for Your Corporate Leadership
Quantifying Cloud Risk for Your Corporate LeadershipQuantifying Cloud Risk for Your Corporate Leadership
Quantifying Cloud Risk for Your Corporate Leadership
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
 
Autumn 2015 EMEA Netskope Cloud Report
Autumn 2015 EMEA Netskope Cloud ReportAutumn 2015 EMEA Netskope Cloud Report
Autumn 2015 EMEA Netskope Cloud Report
 
Fall 2015 Worldwide Netskope Cloud Report
Fall 2015 Worldwide Netskope Cloud Report Fall 2015 Worldwide Netskope Cloud Report
Fall 2015 Worldwide Netskope Cloud Report
 
Cloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity EditionCloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity Edition
 
Reference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudReference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the Cloud
 
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
 
Summer 2015 EMEA Netskope Cloud Report
Summer 2015 EMEA Netskope Cloud ReportSummer 2015 EMEA Netskope Cloud Report
Summer 2015 EMEA Netskope Cloud Report
 
Summer 2015 Worldwide Netskope Cloud Report
Summer 2015 Worldwide Netskope Cloud ReportSummer 2015 Worldwide Netskope Cloud Report
Summer 2015 Worldwide Netskope Cloud Report
 
Making Cloud Security Part of Your DNA Webinar Slides
Making Cloud Security Part of Your DNA Webinar SlidesMaking Cloud Security Part of Your DNA Webinar Slides
Making Cloud Security Part of Your DNA Webinar Slides
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope Overview
 
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own DevicesForrester Research: Securing the Cloud When Users are Left to Their Own Devices
Forrester Research: Securing the Cloud When Users are Left to Their Own Devices
 
Data Privacy, Security, and Sovereignty in a Cloudy World
Data Privacy, Security, and Sovereignty in a Cloudy WorldData Privacy, Security, and Sovereignty in a Cloudy World
Data Privacy, Security, and Sovereignty in a Cloudy World
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Defcon 27 - Phishing in the Cloud Era

  • 1. Phishing in the cloud era Ashwin Vamshi & Abhinav Singh
  • 2. ❖ Staff Security Research Engineer, Netskope ➢ Innate interest in targeted attacks and malwares using cloud services. ➢ Identifying malwares, campaigns and threat actors using ‘cloud as an attack vector’ Ashwin Vamshi 2
  • 3. Abhinav Singh ❖ Staff Security Research Engineer, Netskope ➢ Background in Malware research, reverse engineering, incident response and cloud security. ➢ Author and speaker. 3
  • 6. Attacks “at the scale of cloud” • Wide-scale adoption of cloud services by cybercriminals with a large upscale around phishing attacks. • The phished baits are designed to mimic login pages of popular cloud services • Phishing attacks hosted in the cloud are highly effective and hard to detect. • Example - Phishing website with a Microsoft domain and a Microsoft- issued SSL certificate, asking for Office 365 credentials. 6
  • 7. 7 BEC- It Still Exists!! Source: Fincen.gov
  • 8. BEC in the cloud era - Problem statement • Attacks with SSL certificates/Cloud services to appear legitimate. • Tricks corporate users that are savvy enough to check that the domain and SSL certificate of a website is from a trusted origin. • Slow take-downs, fast recovery. 8
  • 9. 1. PhaaS - Phishing as a Service Cloud Abuse techniques
  • 10. PhaaS - Attack Description • Cloud hosted Phishing-as-a-Service cyber-crime model. • Click, Build & Host. • Flexible plans with wide variety of payment options being accepted. • Additional features like user training, 24/7 customer support and remote monitoring. 10
  • 12. Hackshit – Infection Monitoring Page 12 • The phished baits were served with SSL certificates signed by LetsEncrypt or Comodo. • TLD’s: “moe”, “tn”, “cat”, “wtf”, and “space”. • Websites were built using a file uploading and sharing platform named Pomf. • Pomf clones not indexed by search engines.
  • 13. Hackshit – Source Code View 13
  • 14. Hackshit - Pointers • Recorded the victims credentials via websocket service hosted in the cloud. • Shift of service: Amazon > Evennode > Now. • Takedowns → resurface and reuse attack elements. • Classic example of reusing the same attack elements onto new cloud accounts. 14
  • 15. 15
  • 16. 2. Phishing Attacks Hosted via Public Cloud 16 Abusing popular cloud SaaS, IaaS applications like Google Drive, Dropbox, OneDrive, Azuresites, Googlesites etc. Infection vector Email attachment → Decoy documents Specifically targets corporate users using cloud applications.
  • 18. Phish → Microsoft-issued SSL certificate & Microsoft-owned domain 18
  • 19. Phishing webpage hosted in Azure blob storage 19
  • 20. 3. Cloud Fan-out Effect • Infection spreading through the default Sync-&- Share property of SaaS services. • Use of collaboration tools that automatically sync email attachments to SaaS apps. • Self inflicted propagation of malicious file across the peer network. • Even if unsuccessful- may leave the target vulnerable to future attacks. (Default Allow Policy) 20
  • 21. CloudPhishing Fan-out – Case Study A victim inadvertently shares the phishing document with colleagues, whether internal or external, via a cloud service. Secondary propagation vector. Shared users lose the context of the document’s external origin and may trust the internally shared document as if it were created internally.
  • 22. CloudPhishing Fan Out- Case Study 22
  • 23. Document Decoys - Default Allow Policy & Annotations
  • 24. Attack Description - Default Allow Policy 24 ABUSES THE “DEFAULT ALLOW” POLICY FOR POPULAR PDF READERS. WARNING FROM PDF VIEWING APPLICATION POINTING TO AN EXTERNAL LINK CONNECTING TO THE CLOUD APPLICATION. FOR LEGITIMATE REASONS. THE NORTH ALWAYS “REMEMBERS”
  • 25. Case Study - Zoom Zoom!! 25
  • 26. Case Study II – PDF Annotations 26
  • 27. Attack Description - PDF Annotations 27 Indicates that the attackers plan to reuse the decoy template by appending new links when the URL is taken down. Annotations mostly carried out using RAD PDF annotator by threat actors. Attack campaign artifacts are simply being reused by the malware author to rapidly adapt to malicious file takedowns.
  • 28. Targeted attacks abusing Google Cloud Platform Open Redirection
  • 29. Attack Description • Phishing email containing PDF decoy document which points to Google app engine. • Abuses Google Cloud app engine’s open redirection to deliver malware. • A design weakness that allows the attacker to construct a redirection chain. • The URL redirection case falls under the category of Unvalidated Redirects and Forwards as per OWASP. 29
  • 30. GCP Open redirection chain The user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. – As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”. – Using this redirection logic, the destination landing page is reached. • These Themed decoys primarily targeted governments, banking and financial firms worldwide via phishing emails sent by the attackers posing as legitimate customers of those institutions.
  • 31. Motivation behind abusing cloud services 31 Ease of use and abuse. Reduces the infrastructure overhead. Way more powerful than traditional hosting or computing services. Significantly cheaper than traditional attack methods (No DGA or BPH needed). Gives attackers protection by default (encrypted traffic, API driven communication etc).
  • 32. Conclusion 32 Cloud adoption helps organizations in improving their IT infrastructure and control cost. Its rapid adoption has also caught the attention of cyber criminals who are financially motivated. Cloud Solution Providers (CSP) have adopted the concept of shared responsibility model for securing the workloads. Organizations should carefully assess the risks and potential threats when moving towards the cloud.