Summary: Cloud Storage Services can be inherently malicious or become malicious as they host cloud based-malware or are used as vectors of infection. Cloud Storage Services enable malware to deploy exponentially and expose organizations to several risks such as data leaks and malicious insiders. Strict policy compliance and traffic analysis can help secure these shared environments.
Cloud Storage services enable users to store, edit and retrieve data. Cloud Storage services can be either public or private. Private ones are managed and owned by a company itself and resides on intranet or hosted data centres. Data stored in Public clouds are external data centre owned and managed by a provider. Different services can be provided on the cloud storage market: Software-as-a-service, Platform-as-a-service and Infrastructure-as-a-service.
Security’s challenges increase as the number of users does, since the Cloud simultaneously connect them and their work station.
Malicious activities and Cloud Storage Services
- Dedicated malicious environment
Dedicated malicious environment are specifically set up for criminal purposes.
Example: http://rgho[dot]st/ is a malicious environment providing mostly with malware and hacking tools. More info here.
In most cases though, criminals compromise legitimate environment to achieve their goals.
- The environment is used as a distribution platform.
Environments are shared by multiple users, whom number can proportionally grow the rate of infection. In a cloud environment, malicious files or codes can spread quickly because of file sharing processes and cloud synchronization services. Thus, a smaller number of apps containing malware can infect more users.
Connected apps are used as Malware Delivery Platforms, as criminals can easily disguise malicious activities in regular app-to-app traffic.
Example: one employee receives a phishing mail and clicks on the link. The file is saved in a folder synchronized with the cloud environment. Other users who also synchronized folders will automatically get infected.
This process of attack based on synchronization is called “Man-in-the-cloud”.
- The environment is used as Command and Control Operation
If the malware requires a remote Command and control software, it might be hosted directly in the Cloud.
Example: the case of PlugX:
It has been a few years already that Cloud Storage Services have been used in malicious activities. Dropbox has faced multiple abuses, as shown in the following example.
One malware, called PlugX and used against the Taiwanese government, could, once active on a computer, download a file and update configurations from Dropbox. The point of using Dropbox, as a side channel here, was to make it look like regular traffic, as Dropbox is a legitimate site. Furthermore, this file which contained the Control and Command had an activation date: one more trick to avoid suspicions of malicious activities.
Risks related to Cloud Storage Services
Several risks can occur from cloud security breaches including:
- The spread of malware among users
- Data loss
- Data breach, Intellectual Property loss and thefts
- Identity theft through account hijacking
- Loss of control over end user actions making insider threats possible
- Abuse and malicious use of cloud services
Eventually, exposure to these risks may eventually damage customer trust and conduct to direct or indirect financial losses.
How to prevent these risks ?
The first step to Cloud Storage services security is the implementation and respect of a solid data protection and user policy. The company should make sure the provider allows and respects the implemented policies.
The network traffic should be consciously analyzed as most of the attacks will use what seems-to-be regular traffic.
In case of data breach, it is urgent to minimize the attacks surface (prevent the number of affected devices from growing and then blast radius, by identifying the threat and its processes.
How can RedSocks Security help you manage your risk?
RedSocks’ solutions can provide its customers with a strong network analysis and can detect malicious activities by monitoring network traffic. By tracking behaviors, RedSocks Security detects malicious activities and unwanted connections.
Facing suspicious network traffic?
Contact our Malware Intelligence Team via firstname.lastname@example.org