Human security

‘Massive wave’ of hackers exploiting comments in Google Docs

It appears that users are now paying the price for Google not shutting down or fully mitigating a vulnerability in Google Docs’ commenting feature. email — primarily Outlook — and Google Docs, according to Avanan researchers.

The targets ? Pretty much any end user.

Taking advantage of the “transparent nature” of Google Docs which allows employees to collaborate in real time around the world, hackers simply add a comment to a Google Doc that mentions the target with an @.

“By doing this, an email is automatically sent to that person’s inbox. In this email, which came from Google, the full comment, including the bad links and text, is included, ”Avanan researchers wrote in a blog post. Publish. “Also, the email address is not displayed, just the names of the attackers, which makes it ripe for impersonators.”

Avanan observed that hackers reached over “500 mailboxes out of 30 tenants … using over 100 different Gmail accounts.”

“Arming documents for phishing is a proven approach to gaining a foothold in a business and reinforces one of the core business truisms: you can hack systems or you can hack humans,” said Tim Wade, manager. technical. director, CTO team at Vectra. “When it comes to human hacking, it’s still an arms race – adversaries always look for new ways to trick humans via a reliable delivery vehicle, while network defenders deal with the fallout. . “

Ultimately, he said, “compromised users and systems will occur with the time, motivation and resources needed on behalf of an adversary. “

Hackers tracked by Avanan were able to bypass the scanners and avoid the watchful eyes of end users because the notification comes directly from Google, which is not only trusted by users, but also appears on most allow lists. “Second, the email doesn’t contain the attacker’s email address, just the display name,” the researchers said. “This makes it harder to evaluate spam filters and even harder for the end user to recognize. “

“Even before document creation and collaboration moved to the cloud, documents were a powerful phishing and malware delivery tool for malicious actors,” said Hank Schless, senior director of security solutions at Lookout. “The threat of bogus or malicious attachments was part of the reason the MTA market was born, as organizations wanted a way to scan incoming messages for malicious attachments. “

With the massive migration to the cloud, “Collaboration platforms like Google Workspace have long been exploited by threat actors as an effective threat vector. Since so many organizations use these platforms to work more efficiently, especially across multiple internal or external teams, we’ve been conditioned to click any notification we get from Docs, Sheets, and Slides ” , said Schless. “As with so many other tactics, threat actors rely on our inherent trust in certain platforms, applications and devices to trick us into interacting with their nefarious campaigns.”

In the attacks observed by the Avanan researchers, “it’s easy for actors to target anyone,” he said, including entire companies. “If they wanted to tackle a particular organization and figure out the format of employee emails, a quick LinkedIn search would tell them exactly who to contact,” Schless said. Whether it’s an email, text, or third-party messaging platform, the attacker could simply create a fake Google login page and ask the targeted user to enter his credentials to access the document in which he is identified. “

And hackers only have to lure a single user to fall for it. “Once an attacker has these legitimate credentials in hand, they can enter the infrastructure under the guise of a legitimate user and move sideways until they find valuable assets to exfiltrate or to encrypt, ”Schless explained.

Without a doubt, it is time for organizations to step up their game to protect against identity theft, phishing, and other techniques. “This incident highlights the importance of having visibility into how your users interact with cloud applications and the data stored in them,” he said.

Indeed, “attackers who abuse the comments section of Google Docs for the purpose of spreading malware and malicious links is another legitimate reason for security teams to extend their zero trust architecture beyond identity and network levels, ”said Adam Gavish, co-founder and CEO. at DoControl. “Applying the zero trust model to the data layer can help achieve a least privilege model and significantly reduce the possibility for attackers to exploit flaws such as the one in the comments section of Google Docs.”

Avanan researchers suggested that organizations “encourage end users to cross-check the email address” in a Google Docs comment before clicking on it to ensure its legitimacy.

“Although this is a serious problem, it is not much different from many other phishing methods,” said Shawn Smith, director of infrastructure at nVisium. “Users should always be wary of links in emails, even those from legitimate senders, due to the possibility of an account being compromised. It seems to me that this could be classified less as an “exploit” per se, and more as a case of lack of spam prevention. In addition to checking the links, users should also hover over the links before clicking to confirm that the embedded hyperlink sends them where they want, and not to a completely different site than the one indicated by the link, ”Smith said. .

If users aren’t sure a sender is up and running, they should contact the legitimate sender to confirm they’ve sent a document, Avanan said.