The most popular uses of cloud services include: storing image scans of passports and other personal documents; synchronization of password, contact list, and email/message databases; creating sites; storing versions of source codes, etc. When cloud-based data storage service Dropbox announced a patched vulnerability in its link generator, it once again sparked online discussions about how important it is to encrypt confidential data before uploading it to an online storage, even a private one. Well, File encryption (FLE) does indeed protect confidential information stored in the cloud, even if there are vulnerabilities in controlling access to user documents with certain cloud storage services.
It’s tempting to think that you can secure yourself against all possible risks by encrypting your data before you upload it to a cloud storage service, or by foregoing cloud services altogether. But is that really true? As it turns out, no, it isn’t.
The Internet is full of recommendations on how to “effectively use cloud-based storage services” including advice on how to remotely control a PC, monitor your computer while you are away, manage your torrent downloads, and many other things. In other words, users create all types of loopholes all by themselves. These loopholes can then be easily exploited by a Trojan, a worm, not to mention a cybercriminal, especially in targeted attacks.
So we asked ourselves: how likely is it that a corporate network can be infected via a cloud service?
At the Black Hat 2013 conference, Jacob Williams, Chief Scientist at CSRgroup Computer Security Consultants, gave a presentation on using Dropbox to penetrate a corporate network. While conducting a trial penetration test (pen test), Jacob used the Dropbox thin client installed on a laptop located outside of a corporate network to spread malware to devices within that network.
Jacob first used phishing to infect an employee’s computer, then embedded malicious scripts into documents stored in the laptop’s cloud-hosted folder. Dropbox automatically updated (synchronized) the infected documents on all the devices attached to the user’s account. Dropbox is not unique in this respect: all applications providing access to popular cloud file services have an automatic synchronization feature, including Onedrive (aka Skydrive), Google Disk, Yandex Disk, etc.
When the user opened the infected document on a workstation located within the corporate network, the malicious scripts embedded in the document installed the backdoor DropSmack on that workstation – it was specifically crafted by Jacob for this pen test. As its name suggests, DropSmack’s main feature is that it uses the Dropbox cloud file storage service as a channel to manage the backdoor and leak corporate documents through the corporate firewall.