New Google Apps script vulnerability extends URL-based threats to SaaS platforms

January 04, 2018
Maor Bin

Proofpoint researchers discover a new means of exploiting Google Apps Script to deliver malware via URLs.

Software-as-a-Service (SaaS) applications have become mainstays of modern business and consumer computing. However, they are also quickly becoming the latest frontier of innovation for threat actors looking for new opportunities to distribute malware, steal credentials, and more. Proofpoint researchers identified a vulnerability that allowed attackers to leverage Google Apps Script to automatically download arbitrary malware hosted in Google Drive to a victim’s computer.

Google Apps Script is a development platform based on JavaScript that allows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps SaaS ecosystem. Proofpoint research has found that Google Apps Script and the normal document sharing capabilities built into Google Apps supported automatic malware downloads and sophisticated social engineering schemes designed to convince recipients to execute the malware once it has been downloaded. We also confirmed that it was possible to trigger exploits with this type of attack without user interaction, making it more urgent that organizations mitigated these threats before they reach end users, whenever possible.

Since we disclosed this vulnerability to Google, the company has added specific restrictions on certain Apps Script events that could potentially be abused, as we presented in this proof of concept. Google now blocks both installable triggers -- customizable events that cause certain events to occur automatically -- and simple triggers like onOpen and onEdit from presenting custom interfaces in Docs editors in another user’s session. However, the proof of concept we provided to Google and recently presented at the DeepSec Conference demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years. Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.

Our exploit begun by uploading malicious files or malware executables on Google Drive, to which threat actors could create a public link. Actors could then share an arbitrary Google Doc to be used as a lure and vehicle for a Google Apps Script that delivers the shared malware. While we frequently observe Google Docs phishing and malware distribution via links to Google Drive URLs, extensible SaaS platforms allow greater degrees of sophistication, malware propagation, and automation that are also much more difficult to detect.

In this approach, because recipients received a legitimate link to edit a Google Doc - as many people do on a daily basis - the old rules of email hygiene apply here as much as ever. Google has imposed new restrictions on simple triggers to block phishing and malware distribution attempts that are triggered by opening a doc. However, recipients also should exercise caution clicking even links to Google Docs unless they know or can verify the sender. Moreover, this vulnerability automatically downloaded a malicious file and relied on social engineering to convince the recipient to open it; users should be wary of files automatically downloaded by web-based or SaaS platforms and be cognizant of the anatomy of a social engineering attack while organizations should focus on mitigating these threats before they reach end users if possible.

SaaS platforms remain a “Wild West” for threat actors and defenders alike. New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms. At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms. This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use “good for bad”: making use of legitimate features for malicious purposes.

With malicious Microsoft Office macros, threat actors introduced layers of obfuscation, new techniques, and innovative approaches designed to better deliver malware payloads. The same level of innovation is likely as SaaS applications become increasingly mainstream and threat actors become more sophisticated in their abuse of these tools. Organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.

For those organizations looking to protect against threats leveraging SaaS applications for distribution including Office 365, G-Suite, Box, and beyond, Proofpoint provides Targeted Attack Protection (TAP) SaaS Defense. Designed to detect and visualize threats in SaaS files and URL threats embedded in SaaS files, TAP SaaS Defense is an important defensive layer against new threat innovation in Google Docs and other SaaS applications.