Ever on the lookout for a new avenue of attack, cybercriminals had figured out a method of using Google App Scripts to automatically download malware hosted in Google drive to any computer.
Google App Scripts, the Javascript development platform used to create stand-alone apps with extensions to the Google Apps SaaS system, has an automatic document sharing capability that could be perverted to download various types of malware and the social engineering systems needed to convince targets turn on the malware, a Proofpoint study found. The cybersecurity firm's researchers noted that while Google was told of and fixed the vulnerabilities there remains the threat that this type of attack could become more prevalent than those using malicious Microsoft Word macros.
“The limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats,” Proofpoint said.
Proofpoint has outlined the proof of concept test it used to uncover the vulnerability.
The first step was to upload malware executables to Google Drive to which hackers could create a public link. Step two has the bad guys sharing a Google Doc linked to the malware with their intended victims with a note to convince the recipient to open the doc. This is essentially a document-based phishing attack.
“While we frequently observe Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect,” Proofpoint said.
Using a SaaS application like Google Drive creates an entirely new attack surface that business and consumers need to guard. Because this is relatively new most workers might not realize a Google doc holds any potential danger, but on the bright side the fact that the same defensive measures used to prevent email-based phishing will also work against this type of attack, Proofpoint said.
On the downside, the fact that SaaS application attacks are much easier for hackers to assemble, compared to those using macros, probably means this methodology will be used more often in the future and spread from Google Drive to others like Office 365, G-Suite and Box.
