Following the discovery of a recent a remote access trojan (RAT) which is using Dropbox for command and control in a targeted attack against the Taiwanese Government, we have the following comments from Tripwire, explaining how and why Dropbox lends itself well to these types of attacks:
Craig Young, Computer Security Researcher, Tripwire said: Cloud-sync services like Dropbox offer many features which can aid attackers in various ways. Communication with Dropbox is encrypted and therefore not easily inspected by network protection systems, adding to this is the fact that Dropbox is commonly used in enterprise environments for legitimate purposes. In the past we have seen a lot of attacks using Dropbox to host malware installers, infected documents, and hacking tools but in the case of these attacks targeted at the Taiwanese government, the attackers have gone one step further by using the service to act as middleware for a command and control system. This is a logical process evolution for botnet operators struggling to maintain control over their victims while isolating themselves from their attack infrastructure for operational security. The attacker can easily mask their identity while uploading new configuration files and periodic requests to Dropbox from the victim nodes are unlikely to raise any suspicion. From a network administrator’s perspective, requests to Dropbox are indistinguishable from one another unless a system is in place to actively intercept and analyze the SSL communications. Dropbox also makes a natural choice for attackers looking to exfiltrate data since uploads can be performed with or without an agent without generally raising alarms. For a while now many CISOs have been discussing whether or not Dropbox traffic should be permitted on their networks due to the risk of data leakage – now there is a real-world example of yet another reason for businesses to be concerned about cloud storage.
Dwayne Melancon, CTO Tripwire added: When doing investigations, there is a common maxim to "follow the money." In malware and exploits,the maxim is "follow the users." Given the Dropbox is fairly common amongst business users, I'm not surprised that this has become a command-and-control vehicle for attackers. A lot of organizations have a stated policy against storing company information on Dropbox, but very few of them prohibit Dropbox entirely. That means that even in the organizations that are concerned about Dropbox, you will probably find corporate users who are using the service.
When the dropbox client is installed, files that the user is sharing our replicated to their local desktop. This provides an opportunity to conduct monitoring of the system state to detect malware. Looking for the appearance of suspicious binaries, or unusual changes to users' systems can also tip you off that something is wrong.
This is an example of an attack in which you could reduce the risk by not giving users local administrator privileges on their workstations. Enterprises are increasingly achieving this through continuous monitoring and security configuration management on the endpoints.