Cloud

1/4/2018
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google Apps Script Vulnerability Exposes SaaS to URL-based Threats

A new means of exploiting Google Apps Script lets attackers deliver malware using URLs.

Google Apps Script is vulnerable to exploits that could allow malware to be delivered via URLs. Attackers could automatically download arbitrary malware hosted in Google Drive to a machine -- and the victim would have no idea it was happening.

Researchers at Proofpoint discovered the vulnerability earlier this year while exploring the potential for abuse of Google services. Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, points to Carbanak's use of Google for C&C as a public example of this.

Google Apps Script is a development platform based on JavaScript that lets developers build standalone web apps and extensions for various parts of the Google Apps ecosystem. Researchers learned this platform, as well as document sharing capabilities in Google Apps, support automatic malware downloads and advanced social engineering attacks designed to manipulate victims into executing malware once it's on their machine.

"What we're seeing is [changes in] the style of attack -- normally a phishing email followed by social engineering a user to click on something," Kalember says. "Attackers are infinitely varying that."

This type of attack is different from phishing and malware distribution via links to Google Drive URLs, which are fairly common. These normally involve sending a Microsoft Office doc, which is enabled to run macros when the user gives permission.

In this case, all the activity happens in Google: a victim opens a link to edit a Google Doc and is prompted to run a Google Apps Script, which is embedded in the document. Most people say yes and deliver the malware, which can be hosted somewhere else within Google Drive, Kalember explains. It's a variation of what we see with Office macros; the Doc itself is simply a way for someone to run code when it's opened.

"It would be very, very difficult to detect anything malicious," Kalember says. "Someone could do this in a direct way: craft the URL and send the script to the victim. The Google domain is basically a trust vehicle in that case."

To explore this vulnerability, researchers began by uploading malicious files to Google Drive. Attackers could create a public link to these executables, and share an arbitrary Google Doc to use as a lure and vehicle for a Google Apps Script designed to deliver the shared malware.

"What we're seeing on the Google Docs side is these little scripts can be in the Doc itself, or they can be downloaded and the user can be socially engineered into running them," says Kalember.

The ability for attackers to use extensible SaaS platforms for delivering malware is comparatively more powerful than the ability to use Microsoft Office macros for distribution, researchers report. Companies don't have many options for defensive tools to protect against this type of threat, increasing the likelihood attackers will exploit SaaS platforms.

"This is really, really powerful stuff that Google builds from a scripting perspective, so you can do almost anything with it," says Kalember of Google Apps Scripts. Further, most of this activity bypasses traditional security defense mechanisms.

Proofpoint disclosed this vulnerability to Google in the fall of 2017; since then, the company has added restrictions on Google Apps Script events that could be exploited. It blocked installable triggers, or customizable events causing events to automatically occur. It also blocked simple triggers from presenting custom interfaces in Docs editors in other users' sessions.

These restrictions block phishing and malware delivery attempts that are triggered by opening a document, meaning exploits can no longer be leveraged for mass infections. This could have been possible before Google introduced these changes, says Kalember.

This exploit demonstrates how software-as-a-service (SaaS) applications are increasingly threatened by attackers looking for new opportunities to distribute malware and steal data.

"SaaS platforms remain something of a 'Wild West' for threat actors and defenders alike," says Maor Bin, Proofpoint's security research lead for threat systems products, in a statement. Capabilities like Google Apps Script are creating opportunities for threat actors who can leverage vulnerabilities for good or bad, using legitimate features for nefarious purposes.

Because victims in these scenarios receive legitimate links to edit Google Docs, as many people do, the same rules of email security apply. Users should also use caution when clicking links to Google Docs, unless they know or can verify the sender. Businesses using G Suite have access to tools which tell them which scripts are out there, which can help awareness.

"In the future it might be useful for Google to try and ascertain whether a script is malicious or not before allowing a user to run it, or even host it on G Suite," says Kalember. "Now, it's challenging to tell whether a script is malicious or not."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.