The left/baby blue-ish color is 4th quarter 2018, the right/red is 1st quarter 2019. Q4 looks like 75%, Q1 looks like 80%.
That said the title doesn't really make sense "File share services being used to host attacks" should probably be something more like "percentage of increase in files that are malicious" or some such.
I'll give you another set of sites which are whitelisted by browsers: github, bitbucket, gitlab, sourceforge
If you want to trick someone into running an executable, you need to put it on a whitelisted site, otherwise they will have to slog through 5 different very scary warnings before they are allowed to run it.
The funny thing: most of HN is against this kind of browser protection, I wouldn't be surprised if they disable uncommon software warnings.
While that's true, I do get at least a little suspicious if the repository only contains binaries on a site which is designed to host source. Same if it's a little-known repository. Besides, what is some one going to do, encourage me to "download the update to adobe reader" on github? Source hosting sites would certainly be valuable in a highly-targeted attack, but it is often the case that such actors will simply find another way.
1> Microsoft sees successful tool and decides to copy it
2> truck loads of marketing money is spent
3> the product captures 5-10% of the market
4> most people either don't care or mock it
5> at some point articles come out about how the product is mostly malware
6> Microsoft quietly kills the product 2 years later
I remember back when I had a Lumia 920 and searched the app store for “Facebook” there were several pages of results for apps called “Facebook” that all had similar icons. Searches for other popular apps had similar results. The store was full of fraudulent copies of popular apps in addition to the real ones.
I don't think this is really news, or surprising. At some point any cloud-based service supporting public sharing of user-generated content will be used, either obviously or non-obviously, for malicious purposes - content hosting, C&C, etc. For the service providers, this becomes a very difficult game of cat and mouse.
I'm a little surprised to see this because OneDrive scans and provides malware information [1] where not every cloud storage does. I would expect apps, including theirs, would make use of this and warn the user. Maybe they broke something as their malware property is currently "empty" and I don't remember it being that way.
They didn't go into these details in the story, but could it be that the payload is encrypted and then hijacked blog sites are used to host the javascript to decrypt the payload? Asking because I have seen that a few times, but never saw it on onedrive.
You're not wrong you could host somewhere encrypted and escape detection. But that means you still need to point to a scam site to execute the package.
But the way this works is that you're sent an email with a legit Microsoft domain. Sometimes even a legit Microsoft Share email that points to a onedrive stored file.
The whole point is that your payload is hosted on a legit service that Apple, Dropbox, Microsoft, etc really do own. So that if you're trained to look at the URL, you see something legit, not share.filez-mikrozoft.kom
I've had to instruct my employees to look at the context, not just the hosting link. Do you know this person? Where you expecting a file? If you aren't sure can you contact them via some other form than email?
I am curious how they are uploading malicious content without encrypting it to evade detection. I've had coworkers (red team) use special packers to return "all green" on virustotal, but it doesn't take long for it to get flagged.
Yea, uploading undetectables via custom packers is what I would assume too.
I think I remember reading something about how dropbox was being used by security researchers where they were storing known-bad files, and how Dropbox mitigated this risk
21 comments
[ 2.1 ms ] story [ 53.3 ms ] threadIts saying, for the selected quarters, what percentage of traffic was malicious.
Ex:
* In Q4 2018, less than 20% (out of 100%) of wetransfer's traffic was marked as malicious.
* In Q1 2019, over 60% (out of 100%) of OneDrive's traffic was marked as malicious.
Etc.
That said the title doesn't really make sense "File share services being used to host attacks" should probably be something more like "percentage of increase in files that are malicious" or some such.
I guess it's good news for Microsoft, though: people are aware of OneDrive!
If you want to trick someone into running an executable, you need to put it on a whitelisted site, otherwise they will have to slog through 5 different very scary warnings before they are allowed to run it.
The funny thing: most of HN is against this kind of browser protection, I wouldn't be surprised if they disable uncommon software warnings.
I might expect them to be whitelisted by firewalls, but why browsers?
https://en.wikipedia.org/wiki/Google_Safe_Browsing
1> Microsoft sees successful tool and decides to copy it 2> truck loads of marketing money is spent 3> the product captures 5-10% of the market 4> most people either don't care or mock it 5> at some point articles come out about how the product is mostly malware 6> Microsoft quietly kills the product 2 years later
[1] https://docs.microsoft.com/en-us/onedrive/developer/rest-api...
contained in driveItems and other responses:
https://docs.microsoft.com/en-us/onedrive/developer/rest-api...
I have. It hasn't been what you suggest.
You're not wrong you could host somewhere encrypted and escape detection. But that means you still need to point to a scam site to execute the package.
But the way this works is that you're sent an email with a legit Microsoft domain. Sometimes even a legit Microsoft Share email that points to a onedrive stored file.
The whole point is that your payload is hosted on a legit service that Apple, Dropbox, Microsoft, etc really do own. So that if you're trained to look at the URL, you see something legit, not share.filez-mikrozoft.kom
I've had to instruct my employees to look at the context, not just the hosting link. Do you know this person? Where you expecting a file? If you aren't sure can you contact them via some other form than email?
I think I remember reading something about how dropbox was being used by security researchers where they were storing known-bad files, and how Dropbox mitigated this risk