Blog Post

SaaS Security Begins In the Browser: Why The Largest Chrome-Based Surveillance Campaign Undermines That

On June 18, 2020, Awake’s Threat Research Team disclosed a massive global surveillance campaign exploiting the nature of Internet domain registration and browser capabilities to spy on and steal data from users across multiple geographies and industry segments. In this blog post, we will discuss why this matters in the context of the enterprise threat model and how focusing on one specific threat in that model—SaaS Security—enabled us to uncover this long running campaign.

Why Does This Matter?

According to Gartner, adoption of SaaS and other cloud-based services is expected to more than double in the next five years. As many of our customers have jumped on the SaaS bandwagon, we have looked at ways to protect these new assets. There are a lot of “SaaS security” specific solutions out there, but if you go down to first principles, security for these applications comes down to securing the server and the application and securing your access and the browser.

Securing the application is really up to the vendor—and yes there are things you can do as part of the procurement and contracting process to provide a level of trust in the vendor’s security practices. But what can you as a customer do on an ongoing basis to secure your access and the browser?

It’s clear that if you have an insecure browser experience, it doesn’t matter how secure the SaaS application is. In fact, an insecure browser weakens the security of ALL your SaaS applications. The browser has unofficially replaced Windows, MacOS, etc. as today’s “operating system.” It is critical that security controls can monitor browser-based activity and report on security threats so that you have early detection and rapid response.

Similarly, if you cannot trust the access to the Internet and the SaaS-related domains, you have a gap in your SaaS security strategy as well. For more than a decade, the approach has been to rely on proxies and other web security tools that do a decent job of blocking and monitoring the “known bad.”

However, as attackers move to “living off the land” or using high reputation cloud services / recently expired domains with normal reputations, this approach starts to expose gaps that security teams have to then bridge using threat hunting and other advanced techniques.

How Has Awake Approached the SaaS Security Problem?

At Awake, we spend a lot of time thinking about the SaaS security puzzle. One aspect of that is focusing on the browser and domain insecurities we described above. Most organizations don’t have the people, the time or skills necessary to tackle this problem, which is why we wanted to move this outside the realm of manual threat hunting and see if it could be intelligently automated to uncover the real threats without flooding the security team with false positives.

This first led us to develop an adversarial model (behavioral models for automated detection in Awake that can be easily created/copied/edited by analysts and users) that detects a large volume of “malware” missed by traditional tools. We say “malware” but in many cases this isn’t your traditional malware. Often, it is existing operating system tools like PowerShell, business applications like Microsoft Office, and Google Drive or Twitter for command and control. Put simply, the model’s function was to identify traffic using any protocol that is:

  • Destined for a relatively rare destination for the network being monitored, and
  • Not going to a “known-good” destination (more on that in a different post), and
  • Uploading data, even small amounts, and
  • Seen from the same device in some frequency pattern e.g. 3 of the past 7 days (or at least once a week for the past 3 weeks).

As you may imagine, this model is extremely effective at catching a wide variety of malware. From traditionally compiled executables to fileless and scripted remote access – if it is persistent, it is easily discoverable this way.

When a model fires, the Awake platform precomputes answers to investigators’ most common questions, even if they forget to ask. For example, when malicious activity is detected on a network (by either automated detection or hunting), an investigator might need to answer questions like:

  1. How long has the domain been in our network?
  2. Where was the domain registered?
  3. What other devices on our network are accessing the same domain?
  4. How common is the registrar?
  5. What other traffic in my network is going to domains from the same registrar?
  6. How many other devices in the network are going to domains from the same registrar?

These are powerful questions that can quickly turn a simple alert into a far-reaching campaign investigation. That’s exactly what happened here! When this automation operated in conjunction with the model we described in the previous section, a curious pattern began to emerge across many of our customer, prospect and research partner networks.

The screenshot below is an EntityIQ profile of a domain dafucah[.]com that was part of the browser surveillance campaign we uncovered, and it illustrates how answering the questions above led us and our customers down the path.

As you can see above in the screenshot, the answers to the following questions have been precomputed for the analyst, without requiring them to remember to search elsewhere for answers:

Question: How long has the domain been in our network?
Answer: About six weeks at the time of this screenshot.

Question: Where was the domain registered?
Answer: Israel

Question: How common is the registrar?
Answer: Not very common at all. Overall time and traffic, very few domains have been seen associated with this registrar.

Question: What other traffic in my network is going to domains from the same registrar?
Answer: A handful of those domains have dozens of activities associated with them, meaning they are potentially persistent C2 domains too.

Question: How many other devices in the network are going to domains from the same registrar?
Answer: Three. Based on the information precompiled for the analyst, it appears the three devices are all exhibiting the same behavior and trying to communicate with the same set of domains from this registrar.

To make a long story short, the name Commuigal Communication Ltd. (GalComm) showed up often and as the world now knows, led us to find that 60% of the domains registered through this registrar are high risk to organizations.

From here, it was not hard to go and identify the entire scope of the campaign, including the malicious extensions found harvesting sensitive data from end-user workstations and exfiltrating it over TLS.

Again, the power of adversarial modeling helps, but more on hunting for Chrome extensions in a different blog post.

Summary

Sometimes the security industry tends to overcomplicate the solution. This has resulted in a slew of point solutions all tackling a different problem, when in many ways there is often one rather convoluted problem that requires a first principles solution approach. In this case, by thinking more fundamentally about the SaaS security problem, we were not only able to help our customers with that, but also secure their browser environment. This was especially important since browser extensions seem to be a blind spot beyond the reach of endpoint protection and endpoint detection and response tools.

Rudolph Araujo
Rudolph Araujo

VP, Marketing