March 1, 2019 | by Aquion
If you are like many of Aquion’s customers you are using multiple Cloud vendors, and therefore need to make sure that your security obligations are met across all cloud instances – configuration management being the most important of these.
Netskope, the Gartner Market leader in CASB, has extended its Continuous Security Assessment from AWS and Azure to include Google Cloud.
Recent data breaches involving data held on Cloud platforms have proven that the primary source of these data breaches is a result of misconfigurations that have led to the inadvertent exposure of data to the internet.
Netskope’s continuous security assessment monitors and audits GCP configurations and uses the CIS benchmark and GCP best practices to identify misconfigurations and provide guided remediation steps. The result is that you improve your security posture and ensure compliance, ultimately helping you mitigate risk tied to data loss tied to misconfigurations.
Built on the Netskope Security Cloud, Netskope for Google Cloud Platform is part of a holistic cloud security solution that takes a one cloud approach to provide visibility, control, and protection for SaaS, IaaS/PaaS, and web. From identifying configuration drift with out-of-the-box best practices and configuration checks to compliance reporting and continuous discovery and inventory of cloud resources, Netskope provides customers with robust protection across their public cloud environments. Get the security needed to keep sensitive data safe while experiencing the benefits that cloud computing offers.
On another note of interest to GCP users, Netskope Threat Research Labs recently detected several targeted themed attacks across 42 customer instances mostly in the banking and finance sector. The threat actors involved in these attacks used the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys. After further research, Netskope confirmed evidence of these attacks targeting governments and financial firms worldwide. Several decoys were likely related to an infamous threat actor group named ‘Cobalt Strike’.
The attacks were carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload. This targeted attack is more convincing than the traditional attacks because the URL hosting the malware points the host URL to Google App Engine, thus making the victim believe the file is delivered from a trusted source like Google.
Research initially started with the discovery of GCP URL abuse triggering detections across 42 customers in the banking and finance sector. Netskope in-house systems and Netskope Threat Intelligence Framework connected the dots and seamlessly aided in tying the attacks to the infamous ‘Cobalt Strike’ threat actor group.
URL redirection mechanisms/features are widely used and abused by threat actors to deceive victims into believing the malicious file is being delivered from a trusted source. The usage of themed PDF decoys with enticing emails is a perfect choice since the payload seems to be originating from a trusted source and popular PDF viewers enable users to easily whitelist domains.
Users can recognize URL redirection abuse by hovering the mouse over all hyperlinks before connecting to the URL. Enterprises should educate their users to recognize AWS, Azure, and GCP URLs, so they can discern malicious sites from official sites.
Netskope Advanced Threat Protection, with its unique cloud vantage point and multi-layered threat detection and remediation capabilities, offers customers a cloud scale platform that understands, and responds to such attacks, preventing them from spreading in your cloud environments
Contact Aquion if you would like more information.