With the migration – actually, rush – to the cloud, companies are eschewing their local IT infrastructure altogether, as the ROI from moving functions like database management or designing in virtual environments to the cloud becomes evident. Even small things – like working on documents shared between groups – has moved to the cloud, via sharing services like Dropbox, Onedrive, and other enterprise file sync and share (EFSS) systems.
It's a system that works great – until it doesn't. If hackers manage to get access to that shared space, it could wreak havoc within the organisation. Imagine this scenario: A hacker nabs the EFSS credentials of an employee who works from home, gaining access to the cloud-based document sharing system. A well crafted socially engineered email, for example, containing a document from a “colleague” that the recipient is supposed to edit and share, would do the trick. That the hackers would know to whom to send such a request and that they know that the recipient has access to an EFSS system, would make the message seem as legitimate as any
With access from that account, hackers could make slight edits to shared Word or Excel documents, for example, and add “loaded” macros to them. The macros would run when the documents are opened on a computer in the office – and release Trojans that would install themselves to commit no end of mischief - scraping user accounts for authentication information, opening a port to allow hackers free access to the server, installing ransomware, etc.
This scenario is more than possible; it's feasible, even plausible, as researchers showed at a recent Black Hat Europe conference. Document sharing solutions allow users' local systems to automatically synchronise documents in either direction – without a security layer. “Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely,” according to the researchers.
Synced documents are no different from any other downloaded content, as far as users are concerned. And although the EFSS system is well protected against outside attempts to hack into it, an EFSS-based scam to gain access to the system would be undetectable to that anti-tampering security; after all, the user is logging in with the correct credentials, using EFSS in exactly the way it was meant to be used!
What about server security? While generally a downloaded document would be scanned for malware or checked inside a sandbox, those rules don't necessarily apply to sync and share documents. If hackers gain access to those documents, and especially if they could hide their malware in a macro – which anti-malware systems cannot scan anyway (and EFSS-synced documents are in any event not subject to scans) – there would be little to stop them from carrying out a scam like this.
Seen from this perspective, the strength of file sharing systems actually incorporates their “Achilles Heel.” Once authorised on their computer, a member of a group has full access to any of the documents in the EFSS system, as do other members of the group, allowing them to fully collaborate and work more efficiently. But therein lies EFSS systems' seeds of insecurity. Once the user supplies the requested information, the hackers basically get free access to anything they want, passing the single hurdle keeping them off the corporate server.
What can companies do to protect themselves? They could ask (more like“demand”) that Dropbox and its EFSS compatriots introduce an intermediary security layer that will scan documents for malware before reaching the end-point as it is custom for services to provide the security within the service. Dropbox, for example, doesn't do that; the company suggests that users install anti-malware security systems that check files before they are opened. “Dropbox syncs any files added to it. If someone adds files with a virus or malicious software, that file syncs to any computers linked to the account. If the virus or malicious software is in a shared folder, shared folder members and computers may also be affected,” according to the company; They suggest “exercising due caution when running unknown files from other computers.” That's fine for files from “unknown” sources, but what about legitimate (although tampered-with) files from legitimate users that fit the legitimate criteria (name, topic, source, etc.) users expect them to fit?
(Ed: Dropbox confirmed to ITProPortal that they do actually scan files for malware)
So it's up to organisations to protect themselves by installing a security layer between EFSS system users and documents. However, neither anti-malware systems nor sandboxes are capable of dissecting a Word or Excel document and examining an attached macro; they just don't delve that far down into the code. And even if sandbox-based scans could examine macros, an increasing number of malware agents can detect a sandbox environment and change their behavior in order to “hide” their true purpose, allowing files to get past the security layer and into the sync and share system.
One technology that can prevent an exploit of this type is a relatively new technology to fight malware called Content Disarm and Reconstruction, (CDR), which acts as a buffer between a user and infected documents. CDR does break down files into their code components, examining all aspects of a document, including macros, separately. Any component that does not adhere to the original specification of the file type that is discovered is thrown out, and the document is reconstructed, sans the threat, and with its functionality intact.
As such, CDR is the perfect protection layer for EFSS systems – which are all about the shared documents. While it's likely that employees could be trained not to click on suspicious email links or even attachments, that kind of caution can't apply to an EFSS system – where the whole point is to allow free access to files. With freedom comes responsibility, though – and if companies want to avoid becoming victims of a scam that, although documented four years ago, still constitutes a plausible threat, they need to get their EFSS houses in order.
Itay Glick, Co-founder and CEO, Votiro
Image Credit: Wright Studio / Shutterstock