malware-as-a-service when your cloud begins to rain malwares! · malware-as-a-service – when your...
TRANSCRIPT
![Page 1: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/1.jpg)
SESSION ID:SESSION ID:
#RSAC
Abhinav Singh
Malware-as-a-Service – When Your Cloud Begins to Rain Malwares!
TTA – R03
Cloud Security ResearchNetskope Inc.
![Page 2: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/2.jpg)
#RSAC
About Netskope
2
‣ 350+ employees globally, including North America, Europe, and Asia-Pacific
‣ Early distinguished architects from large traditional security companies
‣ First comprehensive CASB patent. 45+ patent claims across four categories, with 100s of patents pending
‣ The world’s largest bank, automaker, pharmaceutical, payment processor, consulting firm, insurance, energy, oil and gas, retail and healthcare companies trust Netskope.
![Page 3: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/3.jpg)
#RSAC
Agenda
3
Malware in the cloud – myth or reality?
Brief History of Malware campaigns utilizing cloud services
Generic Cloud threats like Malware “Fan-out” effect and
“Man-in-the-cloud”.
Detailed analysis of cloud based malware campaigns
Adoption of service based models by cyber criminals
Recommended Actions
![Page 4: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/4.jpg)
#RSAC
4
![Page 5: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/5.jpg)
#RSAC
5
What is malware doing in the Cloud?
File Infrastructure
SaaS
IaaS
SaaS + IaaS
PaaS
![Page 6: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/6.jpg)
#RSAC
6
cute-Ransomware
(7/12/16)
Zepto(Locky variant)
(7/16/16)
URSNIFData Theft
(8/2/16)
VirlockRansomware
(9/27/16)
CloudSquirrel(7/15/16)
Zepto Deliveredvia DLL
(9/9/16)
CloudFanta(10/18/16)
NitolBotnet
(10/14/16)
CerberRansomware
(6/30/16)
Cloud Based Malware Timeline
Virlock’sResurgence(1/30/17)
Ransomware +Click Fraud(1/30/17)
New Variantsof Locky
(12/15/16)
Cloud Phishing(1/18/17)
Cloud CRM Attack Vector(2/09/2017)
Targeted Attack Campaign
with Multivariatemalwares
(3/08/2017)
Godzilla BotnetAnalysis
(4/07/2017)
Google DocCloudPhishing(5/04/2017)
![Page 7: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/7.jpg)
#RSAC
Generic Cloud threat Concepts
7
Malware “fan-out” effect.
Man-in-the-cloud (MITC)
![Page 8: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/8.jpg)
#RSAC
Malware “fan-out” Effect in an Enterprise Cloud
![Page 9: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/9.jpg)
#RSAC
Man-in-the-cloud Affecting cloud Applications
9
Token A Token B
![Page 10: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/10.jpg)
#RSAC
CloudSquirrel Malware Campaign CloudFanta Malware Campaign
Malware Campaigns utilizing the Cloud
![Page 11: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/11.jpg)
#RSAC
Brief Technical Analysis
CloudSquirrel CloudFanta
![Page 12: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/12.jpg)
#RSAC
Phishing In the Cloud
12
File decoys hosted in the cloud
Documents used for phishing attacks
against popular cloud applications.
![Page 13: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/13.jpg)
#RSAC
CloudPhishing
13
![Page 14: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/14.jpg)
#RSAC
Ransomware with Benefits!
Ransomware attacks with blended threats.
Cloud Sharing & Collaboration turn it into an
elevated threat.
Encrypts files and also infects same files
14
Polymorphic Code
Malware Code
Clean Code
Polymorphic Code
Ransomware Blended Threats
Wormed Ransomwares
![Page 15: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/15.jpg)
#RSAC
15
• Rapidly the entire peer network is infected
• Many collaborative files are infected and encrypted many times.
• Many ransoms to be paid, perhaps a bulk discount can be negotiated?
![Page 16: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/16.jpg)
#RSAC
Advance Malware Families utilizing the Cloud
16
Carbanak Banking Trojan
Inception Framework
![Page 17: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/17.jpg)
#RSAC
Carbanak Banking Trojan APT
17
Group of financially motivated cyber criminals, first seen in 2015.
Hides in plain sight.
Uses Google App script, Google sheet and Google forms service to build a command and control service.
![Page 18: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/18.jpg)
#RSAC
18
Request for UUID11Check for the existence of
Google Sheet for the unique ID
Create
Found
Read the Google Sheet content for
Commands to Execute
Read the Google Sheet content for
Commands to Execute
Write
Carbanak Banking Trojan APT
![Page 19: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/19.jpg)
#RSAC
Inception Framework (Cloud Hosted APT)
19
Initially targeted at Russia, but expanding globally
Clean and elegant code suggesting strong backing and top-tier talent.
Includes malware targeting mobile devices: Android, Blackberry and iOS.
Using a free cloud hosting service based in Sweden for command and control.
![Page 20: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/20.jpg)
#RSAC
Service Based Models adopted by Cyber Criminals
• Has been around since early 2012.
• Major dealers include exploit kit sellers, botnet controllers and click fraud operators.
• Current portfolio includes:• Ransomware-as-a-Service(RaaS)• Phishing-as-a-Service(PhaaS) • Crimeware-as-a-Service
![Page 21: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/21.jpg)
#RSAC
21
![Page 22: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/22.jpg)
#RSAC
22
MaaS PaaS
![Page 23: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/23.jpg)
#RSAC
How to detect Malwares propagating through Cloud
![Page 24: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/24.jpg)
#RSAC
Recommended Actions (“Apply”)
24
Detect and remediate all threats at rest in sanctioned cloud services.
Detect and remediate all threats being downloaded from unsanctioned cloud services.
enforce policy on usage of unsanctioned applications as well as unsanctioned instances of sanctioned cloud applications.
Enforce DLP policies to control files and data en route to or from your corporate environment.
Regularly back up and turn on versioning for critical content in cloud services.
Need to track both managed as well as unmanaged devices accessing the cloud services.
![Page 25: Malware-as-a-Service When Your Cloud Begins to Rain Malwares! · Malware-as-a-Service – When Your Cloud Begins to Rain Malwares! TTA ... and healthcare companies trust Netskope](https://reader031.vdocuments.mx/reader031/viewer/2022022103/5b5b03597f8b9ab8578d305e/html5/thumbnails/25.jpg)
#RSAC
Thank You!
M.Tech Booth #D02