Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Online Sandbox Services Used to Exfiltrate Data: Researcher

Attackers can use online sandbox services to exfiltrate data from an isolated network, a SafeBreach security researcher has discovered.

Attackers can use online sandbox services to exfiltrate data from an isolated network, a SafeBreach security researcher has discovered.

The new research is based on the discovery that cloud anti-virus programs can be exploited for data pilfering. Last year, SafeBreach Labs’ Itzik Kotler and Amit Klein demonstrated proof-of-concept (PoC) malware abusing this exfiltration method, and said it would work even on endpoints that have no direct Internet connection.

The technique, the researchers revealed, relied on packing data inside an executable created by the main malware process on the compromised endpoint. Thus, if the anti-virus program on the endpoint uploads the executable to the cloud for further inspection, data is exfiltrated even if the file is executed in an Internet connected sandbox.

Now, SafeBreach security researcher Dor Azouri says that online sandbox services can be used for the same purposes and in similar circumstances. However, the researcher notes in a report (PDF) that an attacker using this method would need technical knowledge about their target network.

Unlike the previous technique, the new one doesn’t rely on code that can actively communicate out of the sandbox, but uses the sandbox service database itself as an intermediary for transferring data. The attack method does require incorporating the desired data into an executable and retrieving it by querying the sandbox service’s databases.

The attack starts with malware infecting the endpoint, gathering sensitive information from the machine, and packing it inside a file that is written to disk and executed to trigger the anti-virus agent. Next, a sandbox site is used to inspect the file by executing it, and the analysis results are saved in the site’s database. Finally, the attackers use the site’s API to grab the file.

Unlike last year’s method, the new one does not require the created executable to emit outbound network traffic for data exfiltration. Moreover, it makes the attacker less visible and more difficult to track, given that they gather the data passively from the sandbox service database.

However, the new technique can only be used in networks where suspicious samples are sent to an online sandbox engine, and also requires the attacker to know which kind of sandbox service the organization is using. Furthermore, although hidden, the exfiltraded data remains public in the service’s online databases.

Advertisement. Scroll to continue reading.

The attack can be used for data exfiltration when the target organization sends suspicious files to VirusTotal for analysis, the security researcher says. The service requires a subscription to access information about the analysed files, but an attacker could find the exact executable they are looking for in the database.

The researcher presents a couple of manners in which the attack can be performed, namely Magic String using spacebin (where the attackers could both encode and encrypt the data to be exfiltrated) and the embedding of data inside well-known malware.

“Public sandbox services that allow both upload and search capabilities may be used as a means for data exfiltration. The database for these services is an intermediary for transferring hidden data from a source machine to an attacker who is looking for the expected data. Many permutations of this exfiltration model may be created – each features a different stealth level, ease of implementation, accuracy, capacity etc. We only demonstrated a couple of them,” Azouri concludes.

Related: PoC Malware Exploits Cloud Anti-Virus for Data Exfiltration

Related: Researchers Devise “Perfect” Data Exfiltration Technique

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.