I use Dropbox and so do over 300 Million users around the world. In the past couple of years Dropbox has become a ubiquitous presence on all gadgets – be it your phone, your tablet, the office computer or your home laptop. Personal cloud solutions like Dropbox and others of its ilk like Box, SkyDrive or Google Drive provide a convenient way for users to lug their digital baggage and keep it in sync across all their devices. It is hard to imagine life today without Dropbox –like services, especially when it comes to managing access to critical files, backing up photos and a dozen other interesting use cases.
All good so far but … and here comes the twist in the story – services like Dropbox make it easy to drop payload that can provide a backchannel for command and control (C2) activity. This backchannel seamlessly bypasses traditional endpoint and perimeter control systems. Several advanced techniques have been invented to defeat the defenses of such services – for a good discussion see here. Basically once the user’s Dropbox account is compromised either by weak password or by reverse engineering the Dropbox’s database security – it becomes possible for the attacker to upload a dropper or a trojan into the user’s Dropbox folder. Kind of like a dead letter drop (pun intended). Dropbox will faithfully and in near real-time replicate this file to other devices on the account, and very soon you has an APT infestation to deal with. The same channel can also be used to exfiltrate sensitive data out to the cloud. TrendMicro recently blogged about the malware that uses Dropbox links to serve malware. These droppers can range from relatively benign UPATRE to some seriously bad payload like the ZBOT Trojan or CryptoWall which is a Cryptolocker variant.
So why does this work in the first place? Basically enterprises are blind to traffic that goes between corporate endpoints and popular cloud services like Dropbox or iCloud. Perimeter firewalls are conditioned to ignore this traffic and intermediate IDS/IPS solutions cannot see through the encrypted http sessions. Malware thus has an open bi-directional highway to the cloud. The good news is that malware can only abuse Dropbox for the initial infiltration into the enterprise. The malware file is typically of small size and of limited capability. It has to connect to an external URL – a C2 server for additional payload and instructions. When this happens, Infoblox DNS Firewall will pick up callback query and stop it dead in its tracks.
In situations where the enterprise security policy restricts access to non-standard domains, crackers are getting clever. They will often use a random domain name (often generated by a DGA) and CNAME it to dropbox.com. Thus the DNS entry would look like,
dl.dropbox.com CNAME malware.randomdomain.com
Now every time the malware on the infected client tries to access dropbox.com, it will actually be headed to malware.randomdomain.com, completely bypassing the security policy. The DNS Firewall can block this kind of activity as well, since we also monitor the query response and qualify the CNAME before passing the response back to the client.
As cloud adoption grows it is only going to become more and more difficult to allow the good and restrict the bad. Malicious actors are getting increasingly sophisticated and mainstream and continuously evolving the state-of-the-art to defeat and deceive. While services like Dropbox are not fundamentally insecure – their popularity and ubiquity makes them attractive targets for distributing malware payloads. The security frontier is moving inwards – initial infection from an APT is but inevitable – though we stand a chance of containing further damage and loss through data exfiltration by using technologies like DNS Firewall.