Ghost Links & Logins

I want to summarize the attack vector from one of my favorite podcasts episodes, Darknet Diaries Episode 148 - Dubsnatch.

In this episode, they talk about how an attacker was able to gain access to a victims cloud storage account and maintain persistence while sharing with the victim that their account was breached. It’s a unique issue that makes the attacker look good, while also maintaining access to the information in the cloud storage account.

The Initial Compromise

The attack began with the most original method of initial compromise — password stuffing through a credential dump. What does that mean? They grabbed passwords from a leaked database of passwords, figured out the victims cadence of passwords, whether using the same passwords, or adding a letter, or symbol for each different account and trying that password. Once they figured that out, they could login.

Once in, the attacker ensured there were no login notifications, or any other security protections in place that would give them away, then they could go about maintaining persistence.

Maintaining Persistence

There were three ways this attacker shared to maintain persistence in the cloud storage account. Each one had some pro’s and con’s, but the end result was maintaining persistence while then being able to alert the victim that their account was breached.

Method 1: Cloud Links

Cloud links are an important method to share information with outside accounts as well as sharing links with internal co-workers. They are also a great way for an attacker to maintain persistence if the account doesn’t have the correct technical controls in place.

In this case, the attacker was able to set up a new cloud account with that provider with fake information, and invite himself with a different account to that folder to maintain persistence. This could be to an account that looks legitimate, say a folder shared with 50 people and the attacker sees a name of a person they are working with so names the account after someone they know they are working with, an initial audit would not show anything out of the ordinary, while the attacker can maintain persistence.

Method 2: SSO Persistence

SSO is one of the better ways to keep accounts safe, as it gives you the user a way to maintain similar security protocols without having to manually set them up. It also lets you manage logins easier and only have one password to remember. It’s especially helpful for businesses who can manage logins with one system.

Now this vector has been locked down for many products, requiring a code to be entered by the original email to link SSO, as well as some companies not allowing both basic auth & SSO enabled at the same time, but I’m sure there are plenty products that do not have this as a requirement.

In this case, the attacker was able to link an SSO account they managed and controlled with their victims cloud storage account. Now, the victim can still login, change passwords, etc., while also allowing the attacker to maintain persistence in their cloud account.

Method 3: New Account with Shared Folders

Sharing folders is an easy way of making sure all users who need access can maintain access without a fussy link. For many cloud storage products, they allow company wide managed shared folders, which is the better way to share folders while maintaining control over which folders can be shared externally, but sometimes a shared folder is needed to share information with external providers.

In this case, if the victim has enough permissions the attacker may be able to add a new user to the folder without needing to use a shared folder link. If the attacker is especially cocky they could give owner control to themselves as well so they could maintain and add other logins if they want. If there are hundreds of added users to the folder then it would be easy to slip in and the victim would not notice a new user added to the folder, especially if they picked a name of a co-worker who should “legitimately” be included in that folder.

Exfiltration

Exfiltration is easy now. In this case, the attacker took their time, and the best feature, the attacker could easily download all the data they wanted to their computer with no network controls going off that a user downloaded huge amounts of data, because one of the biggest features of cloud storage is being able to download hundreds of gigs of data to any authenticated system with no network controls ringing bells.

Controls

How do you protect yourself against these attack vectors? There are many ways to maintain control, one that was mentioned in the podcast was use cloud storage sparingly. For many businesses thats not an option.

So here’s a list of basic protections you or your business can enable on your cloud storage account.

• Enable login notifications - Yeah, its a bit annoying, getting an email when you log in, but it’ll be that one time that you didn’t login that you’ll be grateful you turned it on.

• Enable two factor auth - This is given. Enable it. If it has it enable it! No if or buts about it. I’ve had some accounts that do not have 2FA available on their system (REALLY??), so in those cases, I just forced SSO, so at least there was some logging and 2FA management on that account.

• Delete old accounts - One thing I tell friends, family, clients, anyone that listens - don’t delete a password or account login from your password manager until you’ve taken the time to delete the account. I know its painstaking and annoying but it’s an important step to prevent old accounts that may still have access to data leaking to the wrong people.

• Curate your cloud storage links - This one has a few more steps:

  • Make sure you have enabled password requirements on shared links, especially if it includes sensitive information.

  • Enable link expiry dates - make it like 90 days, so you don’t forget its floating out there.

  • If you’re an admin, enable these by default, also I recommend going through the list of links if you can and deleting old links that don’t have these enabled.

• Lock down your SSO - This ones a bit more cumbersome, some services let you only sign in by SSO (highly recommended if you’re a business), but others let you still maintain both login methods because if SSO gets disabled, its a pain for their support to re-authenticate you as a user.

• Change your password - This is a given, but sheesh, still a common method attackers can gain access to your account, especially when the inconvenient 2FA is not enabled. Make sure your password is different than all your others, and is at least 10 (even 15) characters.