Security Experts:

Industry Reactions to New Pastebin Security Features: Feedback Friday

Pastebin recently announced two new security features, but some industry professionals have warned that they will likely be abused for malicious purposes.

The new features are Burn After Read, which allows users to create pastes that are deleted after they are read once, and Password Protected Pastes, which allow users to create pastes that can only be accessed by users who have the associated password.

Industry reactions to new Pastebin security features

Some users welcomed the new features and said they will be very useful, but others believe malicious actors will likely find them even more useful for their operations. Those who defend Pastebin’s decision to introduce these features say other services have been offering them for some time and hackers could have abused those.

SecurityWeek has reached out to several industry professionals to find out what they think about the new features and their potential for abuse.

And the feedback begins...

Ari Eitan, VP of Research, Intezer Labs:

“Attackers are using Pastebin in many cases, both for data exfiltration and also to read commands and receive modules from the operators. Examples of threat actors communicating with operators via Pastebin are WatchBog (Linux malware) and Iron Group (Windows malware).

 

The group behind WatchBog runs an initial deployment script to infect a target. The script sets up persistence via crontab and downloads further Monero miner modules from Pastebin.

Another example is Iron Group, where the payload URL is fetched from a hardcoded pastebin.

 

These new security features can undoubtedly help attackers. Currently, if you see a paste in a malware, you can go to the paste’s address and read it. But if it's protected by password, attackers can keep the password hidden and since they will be the only one to access it this will impede defender efforts considerably.

 

The second feature, Password Protected Paste, is very problematic. If you can only read a paste once, it will be nearly impossible for the defender to track the pastes (since they will get deleted).

 

It's perplexing to see that Pastebin calls these features "security features" since attackers will undoubtedly take advantage of them to inflict damage. I am personally confident that attackers will abuse these features.”

Brian Bartholomew, Principal Security Researcher for GReAT at Kaspersky North America:

“I am on board with what other researchers have said previously - this is bound to be used by malicious actors to better cover their tracks and hinder investigations. Currently, many researchers track new pastes on Pastebin to keep a record for investigative purposes. With these two new features, it will make it more difficult if not impossible to collect that information.


Pastebin is used by actors in many ways. Typically we see them either hosting code such as PowerShell or other similar scripts, or using it as a Dead Drop Resolver to issue commands to an infected host. If the burn after reading feature is used, once a victim checks in for the code or command, it would be removed and not available for archival. This would essentially leave blind spots in our data used to track what an actor is doing.”

Robert McArdle, director of forward-looking threat research at Trend Micro:

“I fully understand why Pastebin might do this for the privacy of other use cases from their customers, but for malware authors these are two super useful features.

 

Password protecting naturally makes a great way to hide online content – but it’s the lesser of an issue of the two in my mind. If you have a malware that interacts with the password protected page it has to hardcode that password in some way in its code, so you can pull it out.

 

But the burn after reading feature is probably even more powerful – one use URLs are really handy for any number of attack chains where they can be used once to target the user, and then poof – they are gone and useless to investigate on later or for forensics.

 

Obviously malware-friendly features are good for malware, however it’s easy for all the security community to yell “this is the end of the world,” but it really isn’t. Malware authors have hundreds of other ways to do the exact same thing without going anywhere near Pastebin, and any enterprise should have been blocking it and every other paste site for years already.”

Dirk Schrader, Global Vice President of Product Marketing, New Net Technologies (NNT):

“While the idea of leaving a note that disappears after being read has an appeal for sensitive information, it seems contradictory to the documented purpose of Pastebin, which is to “store any text online for easy sharing". Being able to protect a post with a password is reasonable, still the combination of both is enough reason for concern. Threat actors have a strong tendency to use free services to facilitate their ‘work’, and this feature combination is prone to be used in such bad ways. Whether it is to sell stolen credentials or credit card numbers by providing access to samples (burn after read) or to embed these features into phishing campaigns aimed at SW developers in large organizations; there are many ways to exploit them. If those features would be available to registered ‘Pro’ users only, the concerns of security experts would be eased a bit and Pastebin would be able to monitor the use of these features to see how they are adopted, how they are used.

 

From a different perspective, the one of a normal user with good intent, there seems to be no detailed description available about the encryption method in use or how the deletion works. From a security point of view, such information would be vital to gauge the features, their effectiveness. How can someone safely assume that the encryption can’t be tricked, that no backdoors or master keys are in the game, without such description. This element of auditing the features should be addressed by Pastebin.”

Alec Alvarado, Threat Intelligence Team Lead, Digital Shadows:

“Pastebin, while having some legitimate uses, has been leveraged for a myriad of nefarious activity. Pastes commonly expose personal information (doxing), re-posted credentials obtained in breaches, and in more technical cases, act as a host of malicious commands that threat actors reach back to retrieve and initiate malware on infected hosts.


Pastebin's new features are not technically "new" to the paste site community, as other paste sites have implemented these functions. However, the greatest cause for concern is that Pastebin is the most widely used and popular paste site for malicious activity. Threat actors are hesitant to deviate from what works, specifically related to an "if it's not broken, don't fix it" mentality.


Concerns are heightened from a security researcher's perspective as many security companies have created scrapers and tools that identify malicious activity posted to Pastebin. The introduction of these two functions will likely significantly inhibit scraping tools and give threat actors additional methods to obfuscate their attacks. This impacts the ability to identify indicators of compromise (IoCs) and, subsequently, the cyber threat intelligence landscape's understanding and investigation of threat actor's tactics, techniques, and procedures (TTPs).


Regardless of the side you stand on, this conflict is a recurring theme in the cyber security community; legitimate tools that may be developed with a good heart can and will always be added to the threat actors' tool belt if they find a use for it.”

Tim Wade, Technical Director, CTO Team, Vectra:

“This sounds like a win for individual privacy which contributes to overall safety and security online. I applaud moves like this and give credit to Pastebin for prioritizing protections for individuals despite a climate hostile to those protections.”

Jack Mannino, CEO, nVisium:

“While these are good security enhancements given Pastebin’s use case, these behaviors often breed errors and poor practices. Often, developers and administrators leak plain text credentials and API keys through data sharing and collaboration tools as well as source code repositories. Organizations should still be cautious and vigilant of their secrets being leaked into the public domain.”

Brian Gorenc, senior director of vulnerability research and director of Trend Micro’s ZDI:

“It’s a near certainty these features will be abused by attackers, and because of these features, it will be harder for security responders to track them. Researchers scrape Pastebin looking for indicators frequently, so anything the hinders that will result in a delayed response. Still, Pastebin is certainly not the only paste site around with equivalent features. While they are introducing a change unwanted by some, they are not pushing brand new functionality into the world.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.