It was revealed recently by security researchers that the Carbanak gang, one of the most infamous groups targeting...
financial institutions, uses Google cloud services for some of its command-and-control abilities.
When attempting to compromise an organization that has security that's as mature as it is at most banks, it becomes difficult to communicate with any malware that has been installed. This is because the organization will likely block outbound traffic to unknown IP addresses via whitelisting, and it may inspect any outbound traffic for indicators of malicious activity.
Increasingly, criminal gangs are attempting to defeat this by using very common and popular services that are allowed through the web filtering and firewalls. This was seen recently with the CloudFanta malware that used SugarSync to aid in exploitation. But using Google is a further evolution, as most companies will allow Google cloud services to be accessed. Blocking access to Google apps would be difficult, as they may be integral to the business, or their customers may share data with them via Google Docs. By using Google services, the Carbanak group is able to manage and modify its malware infections and exfiltrate data from the victim network.
How to mitigate the threat
One method to block this new breed of cloud-controlled malware would be to block Google cloud services using whitelisting or blacklisting techniques. However, in many instances, this is not possible, since it directly interferes with business operations. And unless you are willing to extend the protection to all cloud services, this will not be an effective defense. Similarly, trying to spot the malicious traffic flowing to Google from the legitimate would be a very difficult and time-consuming task; inspecting SSL traffic, for example, requires significant processing power and can affect network performance.
The key method to stop this kind of attack is to prevent the initial infection. The Carbanak group infects staff with malware that is delivered via email attachments, as is the case in the vast majority of criminal cyberattacks. The emails use social-engineering techniques to convince the user to open the attachment, which, in the case of Carbanak, is a Word document with the malware embedded.
The most important line of defense is staff awareness. Education should be continual in every organization to ensure the staff is aware of the risks of opening email attachments. Alongside this, regular email phishing tests should be run to assess staff awareness and to provide metrics on the response rate. The scenarios can be taken from real-world attacks in order to test awareness against real threats.
At a technical level, the malware used by the more advanced criminal groups will be undetectable by antivirus and endpoint security. However, disabling macros in Microsoft products will prevent the malware from running and communicating with the Google cloud services, and secure email gateways should be used to help minimize the volume of phishing emails that make it to employees' inboxes.
The information regarding the Carbanak group's methods has been passed to Google, so it's likely the exact methods they use now will be shut down. However, as in most security, the criminals can change their methods, which is why the most effective form of defense is always to stop the initial infection.
Learn about the latest Google cloud services and how to manage them
Find out more about the Carbanak gang and its attacks
Discover how to mitigate the security risks of shadow cloud services