In more detail, the first findings were pointing to 5 IP addresses that have completed 3357 downloads from a seemingly random set of Pro accounts and Free users during the last 30 days. We identified a set of IPs that were successfully accessing transfers belonging to a wide range of accounts that have no correlation between each other. A bit of historyīack in January 2020 while analysing our application logs we noticed something pretty strange. A series of events that we describe later in this blog along with the luck of connecting with bright minds that aim to make our digital world a bit safer led us in establishing an information exchange service on Threat Intelligence (TI). They also choose to delay the weaponization of their content in exchange for higher chances of executing their payload.īased on the above attack scenarios that have become popular the past months, we started researching new ways of tackling these cross-platform attacks. In this specific scenario, the attackers misuse the cloud infrastructure from WeTransfer and Microsoft in order to serve their malicious content to the end user. They deliberately mask their content as a transfer instead of dropping it as an attachment that would immediately trigger the defensive and monitoring mechanisms of the hosting providers. To successfully deploy their attacks many preconditions need to be met and user interaction is needed.Īttackers often use techniques that will enable them to go undetected by some threat monitoring solutions. They expect that their malicious document will be opened by the recipient of the transfer via an Microsoft 365 account and they aim to steal the Microsoft 365 user credentials of the recipient by tricking them on clicking on misleading messages or alternatively to execute their malicious code which could result in a complete host compromise. A real world example that we have come across lately is that attackers create a phishing PDF document or a Macro enabled document with malicious code and instead of sending it over to their victims directly via email, they create a transfer via WeTransfer. Modern attacks aiming to steal user credentials or spread malware have evolved in a way that uses multiple platforms and applications to successfully deploy their campaigns. Our collaboration introduces a new strategy in threat neutralization as we combine our knowledge and efforts in order to move the detection and mitigation of threats up in the attack Kill Chain. Here we tell our story on how we embarked on a journey that resulted in a fruitful collaboration between WeTransfer and Microsoft that has a unique altruistic goal of protecting our users. Sharing Threat Intelligence (TI) between security and product vendors is an unmarked territory that has little to show from real word examples. Yiannis Kapsalis Security Lead May 14, 2021
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |