Security researchers reported a security flaw in Google Apps Script that can enable hackers and cybercriminals to deliver Google Drive-hosted malware when abused and exploited. Since the attack happens within a software-as-a-service (SaaS) environment, detecting the malicious activity can be difficult, and the attack may be carried out without user interaction or awareness.
According to the researchers, the flaw is related to the sharing capabilities and automatic download features of Google Apps. The attack chain is quite different from how Google Drive is typically abused to host and distribute malware.
In this scenario, the attack happens within Google’s services: Attackers send a socially engineered Google Doc to the would-be victim. The file, when opened, will prompt the user to run a Google Apps Script that would then retrieve the malware hosted on Google Drive. The infection chain bears a resemblance to macro malware normally embedded in malicious Office documents.
[From TrendLabs Security Intelligence Blog: qkG Filecoder — self-replicating, document-encrypting macro ransomware]
The findings highlight the security risks in the SaaS platform that’s increasingly adopted by enterprises. In fact, SaaS, along with infrastructure as a service (IaaS), drove the growth of public cloud services in 2017, reaching a $58.6-billion revenue. When implemented properly, SaaS provides enterprises flexible, purpose-built, and scalable solutions that can optimize business processes and operations.
And like with many nascent technologies and alternative platforms that enterprises use, SaaS is likely to draw more cybercriminal attention as it gains more traction. It further exemplifies the trend in today’s threat landscape: Abusing legitimate services to stay under the radar. This underscores the significance of installing multilayered safeguards — from gateways, endpoints, networks, and servers — to better mitigate an organization’s attack surface. Nurturing a cybersecurity-aware workforce is also important.
The researchers disclosed their findings to Google, who in turn set up countermeasures against Google Apps Script’s abuse. They include preventing installable and simple triggers that let customizable or fixed functions run automatically when an event occurs, such as opening a document.
Trend Micro Hybrid Cloud Security delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads, including Google’s cloud platform. It features Trend Micro™ Deep Security™, which provides timely protection from malware, and ensures servers and applications are protected with anti-malware, behavioral monitoring, predictive machine learning, web reputation, and sandbox analysis. Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services such as Google Drive by using cutting-edge sandbox malware analysis for ransomware and other advanced threats.
Trend Micro Hybrid Cloud Security is powered by XGen™ security, which provides protection against a full range of threats for data centers, cloud environments, networks, and endpoints. XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.