Security researchers at SafeBreach have created proof-of-concept (PoC) malware that can exfiltrate data from endpoints that don’t have a direct Internet connection by exploiting cloud-enhanced anti-virus (AV) agents.
Although highly secure enterprises might employ strict egress filtering, meaning that endpoints either have no direct Internet connection or have a connection restricted to hosts required by their legitimately installed software, data can be exfiltrated if cloud AV products are in use, the security researchers argue.
Presented at BlackHat USA 2017 by Itzik Kotler and Amit Klein from SafeBreach Labs, the PoC tool relies on packing data inside an executable the main malware process creates on the compromised endpoint. Thus, if the AV product employs an Internet-connected sandbox as part of its cloud service, data is exfiltrated as soon as the AV agent uploads the newly created executable to the cloud for further inspection, although the file is executed in an Internet connected sandbox.
In a whitepaper (PDF), the researchers not only provide data and insights on AV in-the-cloud sandboxes, but their also cover the use of on-premise sandboxes, cloud-based/online scanning and malware categorization services, and sample sharing. Furthermore, they provide information on how the attack can be further enhanced and how cloud-based AV vendors can mitigate it.
Dubbed Spacebin, the proof-of-concept tool was made available on GitHub. The project includes directories with both server-side and client-side code. Instructions on how to use the tool are available on the project’s page.
What Kotler and Klein focused on was the analysis of two network architectures found in highly secure organizations: one where endpoints don’t have access to the Internet, but an AV management server does; and another where the machines have access to a closed set of hosts, meaning there’s very limited access to the Internet. In both scenarios, cloud-based AV agents are deployed across all endpoints.
“We are going to abuse the cloud AV sandboxing feature that many AV vendors use. The rationale for this feature is that it enables the AV vendor to offer lightweight agent software, and carry out the heavy-lifting security analysis work in the cloud. Specifically, in such an architecture, the AV agent needs to conduct only basic security checks against other processes and files, allowing for a grey area where a binary “malicious/non-malicious” decision cannot be determined locally. A process/file falling into this grey area is sent to the cloud for further analysis, and a security decision is obtained from the cloud (sometimes in near real time),” the researchers explain.
The sample is typically executed in an AV cloud sandbox and its behavior observed there, where a malicious program can run with no harm to real users or resources, the researchers note. They also argue that the AV cloud sandbox would normally be connected to the Internet, as this would provide better detection capabilities (for example, the malware might attempt to connect to a command and control server and the sandbox would detect that).
“The attacker process (called Rocket) contains a secondary executable (called Satellite) as part of its data. The Satellite can be encrypted/compressed to hide the fact that it is another executable, thus the Satellite can be no more than a piece of data in the Rocket memory space (and file) that does not jeopardize the Rocket. The Satellite contains a placeholder for arbitrary data (“payload”) to be exfiltrated. The location of the placeholder should be known to the Rocket,” the researchers explain.
As part of the attack, the Rocket collects the data (payload) it needs to exfiltrate, decrypts / decompresses the Satellite and embeds the payload in its image (can further compress or encrypt the payload), writes the Satellite image to disk as a file, and spawns the Satellite (from its file) as a child process.
The Satellite then performs an intentionally suspicious action to trigger endpoint AV detection and have the Satellite image file (which contains the payload) sent to the AV cloud. Next, the cloud AV executes the Satellite file in an Internet-connected sandbox and the Satellite process can attempt to exfiltrate the embedded payload using any known Internet-based exfiltration methods.
“Note that this attack is ‘noisy’ in the sense that the AV product will flag the Satellite file as suspicious and as such this may have visible impact on the user, as well as visibility in logs and records. However, for a one time exfiltration attack this will already be too late, as the payload will already be traveling to the cloud by the time this incident is investigated by flesh-and-blood analysts,” the security researchers explain.
One mitigation solution would involve blocking the AV sandboxes (both on-premise and cloud sandboxes) from accessing the Internet. This, however, may be too strict in many cases, as it would no longer allow them to observe the Internet traffic of a sample. Because of that, Internet blocking could be applied only for samples not coming from the Internet, because they do not carry enterprise endpoint-specific payloads and can’t exfiltrate anything useful from the endpoint.
“We can generalize our findings and state that sharing an executable (suspicious/malicious sample) from the organization, with the outside world in some manner (e.g. submitting the sample to a cloud analysis service or allowing such file submission) can result in data exfiltration, unless there is confidence that the sample has arrived from outside the organization and the file has not changed since its arrival,” the researchers conclude.