DropSmack Using Dropbox to Steal Files and Deliver Malware
Around 50 million Dropbox users might soon need to give a second thought to continuing using the popular file hosting service, thanks to recently uncovered security issues.
Questions have been raised over the service regarding file security in the past, but the convenience it offers seems to have overcome security considerations.
The online storage service is offered by Dropbox Inc which provides cloud storage, file synchronization, and client software. With Dropbox users can create a special folder on each of their computers, which it then synchronises so that it appears to be the same folder (with the same contents) on all computers used to view it. Files in the folder can also be accessed through a website and mobile phone applications.
According to an article in TechRepublic by Michael Kassner, who runs IT publication consultancy MKassner Net, while perusing this year’s Black Hat EU seminar briefing website, he came across a briefing note titled ”DropSmack: How cloud synchronization services render your corporate firewall worthless.”
Penetration tester Jake Williams gave an impressive and amusing presentation at this year’s Black Hat Europe revolving around how he ended up gaining access to a client’s network via Dropbox. There’s a link to Jakes presentation at the end of this article
After being continuously stymied in all of his traditional pen testing efforts, he was able to gain access to the CIO’s laptop through some open source (Facebook) reconnaissance, and ultimately discovered corporate documents in a Dropbox folder. Score!
This led to the development of DropSmack. DropSmack leverages the Dropbox synchronization services on an owned (infected) system to act as a Command and Control (C2) channel to the internal corporate network.
In a nutshell – here’s how DropSmack works:
DropSmack is designed to monitor the Dropbox synchronization folder. The hacker creates a file using a .doc extension, puts a legitimate file header on the first line, and then adds the desired macro commands. These files won’t open in Word (MS Word says the file is corrupted); but that’s good, it makes the file less prone to investigation by a snoopy user.
When the doctored file is placed in the owned (hacked) computer’s Dropbox folder, Dropbox does it magic synchronizing all associated Dropbox folders. DropSmack detects the file meant for it, and executes the command. BAM!
DropSmack would give a hacker the ability to spread malicious code or exfiltrate sensitive data from internal systems that synchronize with the infected system via Dropbox. All of this would bypass traditional security defense mechanisms such as Firewalls, Intrusion Detection Systems, Data Loss Preventions, and AntiVirus solutions both at home and on corporate networks.
The best chance at defense?
Williams says that application whitelisting “won’t let the new application (DropSmack) execute.” The process of whitelisting every application that is allowed to execute on a computer system would be a HUGE undertaking. However, just the fact that this communication channel exists by design remains the major challenge. Companies and individuals must ask themselves if the use of Dropbox is worth the potential risk?
A few more interesting tidbits for business owners:
• More often than not, Dropbox is loaded on corporate networks whether it is approved or not — most of the time it’s not.
• It’s a good bet the bad guys know this technique, and are already using it.
The article may make it seem that DropSmack is more of a corporate concern, but that is not necessarily so. Once DropSmack or similar malware becomes mainstream in the bad-guy circles, it’s everyone’s concern.
Read the full article on TechRepublic here:
Direct Link to the BlackHat conference briefing presentation