Research Saturday 10.20.18
Ep 58 | 10.20.18

Stormy weather in the Office 365 cloud.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security - protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Andy Norton: [00:01:42] We typically, as the name might give it away, are often the last line of checks that that object, or a URL, or a file might go through before being delivered to the ultimate recipient.

Dave Bittner: [00:01:54] That's Andy Norton. He's the Director of Threat Intelligence at Lastline. The research we're discussing today is titled "Malscape Snapshot: Malicious Activity in the Office 365 Cloud." Andy Norton coauthored the research with his colleague, Stefano Ortolani.

Andy Norton: [00:02:11] Many of our customers have been migrating over to email cloud environments. So basically, what initiated this research was a number of malicious detections that we were seeing for our customers that are using the Office 365 cloud. So that was basically the reason why we did some investigation into the type of threat that we were seeing.

Dave Bittner: [00:02:36] And there's some history here. Looking at Office 365 mailboxes, this is a prime target.

Andy Norton: [00:02:44] Yeah, absolutely. I think, not only is sort of the adoption to cloud email becoming very prevalent, but that also goes hand-in-hand with the fact that email credentials are often sort of the crown jewels, or the keys to the kingdom. So, people targeting the theft of email credentials in the cloud environments has become one of the most common types of attacks that we're seeing.

Dave Bittner: [00:03:11] Now, just from a basic descriptive point of view, can you tell us - what is malspam?

Andy Norton: [00:03:16] Malspam is basically unsolicited email that is non-targeted in nature - so there's an element of it being bulk - but the payload is malicious, and leads to further risk on behalf of the organization. So, spam itself might just be delivery of a website for, you know, pharmaceuticals, or it could be, you know, something for, you know, dating, but there's no potential for that threat to migrate to an intrusion. With malspam, if the user interacts with that email, there is a potential for someone to place malicious objects, to steal data, and to actually come back and look to do further harm to that organization. So malspam takes infections and gives the propensity to lead to a full-on intrusion.

Dave Bittner: [00:04:13] But again, it's sort of a shotgun approach. They're not targeting individuals - they're sending out to a broad range of people out there.

Andy Norton: [00:04:21] Yes. We do see them going to, you know, numbers of organizations. What is interesting about it though is, in order for it to be successful, a lot of the attributes of the spam needs to be morphed in one way or another. So, whilst they are not targeting individuals, the file that gets sent will be unique, the hash of the URL will be unique, the IP address of the command-and-control infrastructure will be one-time-use disposable. So they've sort of taken some of the inherent strengths of targeted attacks, and they've developed it for a much broader audience.

Dave Bittner: [00:05:01] Well, let's dig in here to what you've found. A lot of what you're dealing with here started with Trikbot and GandCrab. Can you take us through - what's going on with these?

Andy Norton: [00:05:12] Yeah, so what we see now is, the attacks themselves have sort of multiple warheads, for want of a better description. They're not sort of, you know, single, one-shot attacks. So Trikbot is the element of the - the infrastructure of the attack that allows for secondary payloads to be delivered onto the system. And in this particular attack it was a ransomware payload - GandCrab version 3 - that was put onto the system, or was the final payload.

Andy Norton: [00:05:43] I think one of the interesting things about this type of attack is that we are very much drawn to the ultimate visibility that the threat has with it. So there's very much, you know, the user, the organization, would visibly see the ransomware note of the GandCrab payload, but would be unaware of the other type of modules that Trikbot was also putting into the system.

Dave Bittner: [00:06:11] Let's dig into that some. Can you describe to us what's going on?

Andy Norton: [00:06:14] Sure. So what we see happening is that the first element Trikbot will put, probably a password-stealing or data theft banking Trojan element onto the system, that immediately steals all of the, you know, web passwords, email passwords, Windows local credentials, and exfiltrates them, and then installs the ransomware payload.

Andy Norton: [00:06:38] So when the organization comes to remediate, the best advice you get for remediation with ransomware is to either, you know, restore from the last known good backup or do a reimage of the system. So the organization then goes through that incident response process and brings back the system to a clean state. However, the actual other intent of the attack was to exfiltrate the usernames and passwords and it allows that organization to be vulnerable from a secondary attack which would be credential-led.

Dave Bittner: [00:07:14] So it's sort of, almost ransomware as misdirection?

Andy Norton: [00:07:18] Exactly. And I'm certain that with other campaigns, that that is the goal. It's actually to distract the organization, or convince the organization to apply an inappropriate incident response.

Dave Bittner: [00:07:32] Now, some interesting notes about Trikbot, about the way that it formats its messages - there's a pattern here, and sort of a social engineering element to the way they get people's attention.

Andy Norton: [00:07:46] Yes. So there's two aspects to this. So firstly, we have disparity in the way that we protect ourselves from attacks. So obviously, you know, portable executable files, ".exe" files - the industry itself has very good, you know, detection for. There's been a lot of investment in artificial intelligence and machine learning, you know, that are able to study the genetics of executable files, and now are applying very strong levels of security to .exe's.

Andy Norton: [00:08:19] But what you'll find is, is that prevention won't actually solve the problem of cyber crime. It actually will change the problem. And that's why we're seeing now more file types in use. People are moving away from the reliance on a .exe to be part of the attack. So with Trikbot they used, basically, JavaScript files, which are prevalent in, you know, every web page or, you know, or an awful lot of emails with attachments have JavaScript built into them. And then was able to, once the user interacted with the JavaScript, launched a PowerShell script - which, again, has been default installed on Windows since Windows 7 - which then goes and gets the payload.

Andy Norton: [00:09:07] And the other thing that was interesting about this was, it wasn't sort of - the theme wasn't really work related. It wasn't, you know, HR related, here's my CV.

Dave Bittner: [00:09:16] Mm-hmm.

Andy Norton: [00:09:16] It wasn't finance related, you know, here's my, you know, purchase order or my invoice. It was actually targeting the individual's personal life. So it was like, you know, here's a new picture of you, you know, how could you take this picture of me. So it was very much structured around sort of, you know, the personal life of the victim.

Dave Bittner: [00:09:35] Right. And a certain amount of vagueness to them as well, to I guess spark someone's curiosity.

Andy Norton: [00:09:41] Exactly.

Dave Bittner: [00:09:42] Yeah. Also interesting, I thought, was the filename structure. They use a I think certainly most people consider a .jpg - a .jpg, I think most people think about as being comparatively benign.

Andy Norton: [00:09:59] Indeed. Again, it's sort of a double bluff because the actual file extension is the zip.

Dave Bittner: [00:10:05] Right.

Andy Norton: [00:10:05] The other thing that's interesting is, it looks like the filename is sort of structured in the way that a digital camera might take a photo and give it a unique identifier.

Dave Bittner: [00:10:18] Hmm, right. So if the message says I'm about to publish this photo, and the file structure looks like something you'd be accustomed to with a photo - again, another way to lure you in.

Andy Norton: [00:10:29] Exactly. It's just, you know, improving their click rate.

Dave Bittner: [00:10:33] Right. So, one of the things you dug in here was this notion of how Microsoft handles false positives and false negatives. Can you take us through that?

Andy Norton: [00:10:44] Yeah, so I think it's not just specific to Microsoft. I think it's anyone that is operating email services, whether that be, you know, on premise or in the cloud. And essentially, it's always been sort of a guiding rule with email - which is not to cause an undue amount of false positives. And that's because if you quarantine a business-critical email, or if you delete a business-critical email, that can have, you know, extremely high business impact on an organization, of the level of, you know, suffering a malicious infection and a subsequent intrusion.

Andy Norton: [00:11:21] So email providers tend to be less tolerant of false positives, and of course that induces the fact that you then get false negatives. So you do get malicious things coming through, simply because they're sitting in that gray area, and the email provider doesn't want to quarantine or block the email from traveling to the user, to the recipient.

Dave Bittner: [00:11:45] Yeah. Now, The GandCrab malware here - you discussed version 2 and 3, and ways that they made themselves undetectable. Can you describe that for us?

Andy Norton: [00:11:55] Yeah, so GandCrab is being actively developed. We've now moved on to a version 4. And to some extent, this links back to the executable argument of it being a weak link in the attackers campaign. So GandCrab uses a reflective loading technique, and this is also relevant to attacks which live off the land. So, instead of trying to put a new file onto the disk of the system, which would initiate an antivirus scan, it loads itself into a known good system file, and operates from there. So as far as AV checks are concerned, it's possibly whitelisted, or known good file which is running on the system. So there is no new file for AV to inspect.

Dave Bittner: [00:12:47] Hmm. And it has a pretty broad range of capabilities.

Andy Norton: [00:12:50] Yes, indeed. There were a number of capabilities. So we identify capabilities as behaviors. So, whilst you can polymorph many, many aspects of an attack, what you can't do is change the underlying nature of it, and those natures are displayed in terms of behaviors. The way that it wants to run on the system was very evasive. It was able to make changes to the system. Of course, it wanted to communicate back to its command-and-control. So there were a number of different behaviors associated with it.

Andy Norton: [00:13:25] It was - what's important to point out, though, is identifying those behaviors is very important to doing the correct triage of a particular attack. What you'll see is, is because AI has been so involved from doing static analysis, what the - sort of the byproduct of that is extremely generic naming nomenclature for those threats. So you'll see things like "Unsafe" or "malware confidence 100" or "Trojan.Generic" or "FileRepMalware." Which is great, but it doesn't help security analysts apply an elevated level of incident response to attacks which do steal credentials, or do log into Outlook and start sending emails.

Andy Norton: [00:14:12] So their behavior is very important. Behavioral analysis is very important for making sure that, once you get to a threat, you make sure there is no possibility of it coming back and doing harm in the future.

Dave Bittner: [00:14:25] Now, another thing that you looked at in your research here was the Emotet malspam. Describe to us what you found here.

Andy Norton: [00:14:31] Yeah, so Emotet is a very successful payload campaign that we see, not just in Office 365, but across all vertical industries. It uses - or it's constantly updating the way that it manages to infect systems. We are going to release some research in the future, so we think blacklisting, or list-based, or threat-intel-based security is about 50 percent effective at stopping Emotet. Again, it is a modular system. So, you know, the way that one organization would remediate Emotet might be very different to another organization, because you might get different modules.

Andy Norton: [00:15:12] Emotet that was the attack which recently took out the Mat-Su government in Alaska. It hit, I think, like five hundred machines. It's cost them over a million dollars to remediate. One of the things that Emotet is additionally able to do is bring in a third-party payload, and again, it brought in a ransomware payload. And this could be to prevent the incident responders from doing correct remediation of the full capability of the attack.

Dave Bittner: [00:15:43] So what are the take-homes for you? What are the lessons that we've learned from this research?

Andy Norton: [00:15:48] I think, specifically, here, two-factor authentication is becoming more and more important. It very much should be the go-to safeguard for protecting credentials. Once you've got someone's email username and password, you can get into many, many different systems. You know, for example, if you have my Gmail password and you use my credential to log into Amazon, and Amazon said, what's the password? - and you don't know what it is, you can force a code to be sent to my email account, which will then allow you to log into my Amazon and buy things in my name. So, having two-factor authentication stops a lot of those channels for harm.

Andy Norton: [00:16:35] Also, one of the other things, which has become outdated as a best practice, and it says, you know, do not open attachments from someone you don't know. And it assumes that it's OK to open attachments from someone you do know. And we need to move beyond this advice now. That's, you know, it's easy to spoof someone's address, it's easy to do account takeover. You know, if you have got their username and password, you are effectively those people.

Andy Norton: [00:17:03] So, the best advice now is, trust no URL or attachments. Organizations should provide a level of behavioral analysis that scans all URLs or attachments before being delivered to the recipient, and take the burden of security away from the user and put it back on the technology.

Andy Norton: [00:17:23] And then the final thing, which is apply - stick with the - it's been used in, you know, enterprise and internal networks for a long time now - which is defense-in-depth. Use multiple different types of technologies, so it's broad, and also use a number of different vendors or makers, so that you don't build it in a blind spot or a weakness into the security. So that best practice needs to translate to the cloud, not just internal networks.

Andy Norton: [00:17:51] So, you know, if you are using Office 365, the bad guys will also have accounts, test accounts. They will be checking to see whether their malware is able to subvert existing Microsoft defenses. So you will need third-party add-ons if your level of risk, you know, warrants ensuring that the data you have remains confidential, integral, and available when you need it.

Dave Bittner: [00:18:18] Yeah, I'm intrigued by one of the things you have here in your research, which is this notion of detonating everything that comes through. It's certainly an evocative notion. Can you describe to us - what do you mean by that?

Andy Norton: [00:18:32] Okay, so basically, detonating means getting the URLs and attachments to reveal their intent in an instrumented environment, which we could liken to a detonation chamber. So we would put the object in, we want to see what it does, so we encourage the file to carry out all of its actions inside an instrumented environment. Once we see that, we then know what will happen to the actual user's device if we release this file.

Andy Norton: [00:19:05] So we can say, okay, well, this is, you know, doing reflective loading, this is sending your Windows credentials to a site in the cloud somewhere. It is trying to detect sandboxes, it's trying to shut down the antivirus from getting updates. We actually - you know, those behaviors - we don't want to release this object into the internal environment. So that's the idea behind detonation.

Dave Bittner: [00:19:31] Calling in the bomb squad ahead of time.

Andy Norton: [00:19:34] Exactly.

Dave Bittner: [00:19:35] Yeah. And then, so, from a user's point of view, they get the all clear that this file, this link, whatever it might be, has been through a certain level of scrutiny before it's even hit my mailbox.

Andy Norton: [00:19:47] Yes, exactly right. Yeah, so we're taking the burden of having cyber resilience away from the user, and we're putting it into technology, where there can be no debate about whether a file is good or bad. It, you know, it reveals its intention in the instrumented environment.

Andy Norton: [00:20:05] I think we're very much under pressure. I think security analysts have a tough job knowing how to remediate correctly. I think prevention, whilst it is an ideal solution, will just change the problem, and the bad guys will come up with new ideas. And I think we do need to - in the face of escalated activities on behalf of the bad guys - I think we do need to adopt better technology and better best practices. So I think if we can get those three messages across, I think it's been worthwhile doing.

Dave Bittner: [00:20:40] Our thanks to Lastline's Andy Norton for joining us. The research is titled "Malscape Snapshot: Malicious Activity in the Office 365 Cloud." We'll have a link in the show notes. You can also find it on the Lastline website.

Dave Bittner: [00:20:55] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:21:03] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:21:12] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.