Finding Data Exfiltration During the Cloud App Discovery Process

July 20, 2016 Todd Wilson


Today I started a Netskope Cloud Risk Assessment for one of my customers, and guess what I found? Data exfiltration activity from compromised network attached storage (NAS) devices communicating with servers in Australia via cloud-based file-sharing services.

Ten years ago, if you told me I would be finding and troubleshooting cloud malware in a customer’s network I would have called you crazy. Ten years ago I was a sales engineer for a managed service firm helping customers solve their network growth issues. Our key security products were firewalls, server-based anti-virus, and the very beginning of what we today we call a security information and event management system (SIEM). Back then, malware was not a hip term and most customers were barely blocking viruses.

What is malware? The term is a short form of “malicious software.” Malware can be one of many types of software: viruses, trojans, worms, ransomware, and spyware are all malware players. Malware is primarily used to gain information or monetary benefit for the malware creator. We have now seen many times in the news that enterprises are being infected with ransomware, in which the malware delivers a payload that encrypts users’ files, and the user or enterprise must pay a ransom in an unmarked currency like Bitcoin to have the files unencrypted.

Netskope has found multiple ways in which hackers are using popular cloud services like Office 365 OneDrive for Business and Google Drive to infect users, propagate malicious files, send command and control instructions, and exfiltrate data. This occurrence is another new way hackers are using cloud sharing to pass sensitive traffic back and forth under the customer’s radar.

In the Cloud Risk Assessment, we reviewed and provided a detailed risk report for all of the apps the customer was using in their environment. Often, we find that while a customer’s IT organization has sanctioned one or two apps, the organization’s user base is using hundreds more, including dozens within the same category as a sanctioned app. For this specific customer, their sanctioned storage apps are Office 365 OneDrive for Business and Egnyte. All other cloud apps should have been blocked.

In preparation for the assessment, I started researching the customer’s usage and noticed a new app I had not seen before called Ryushare. Growing up in the 80s, I am a big fan of Street Fighter, and thought it pretty cool that someone named their file sharing program after the Capcom Protagonist! After further investigation, and at the time of writing this blog, the IP address associated with Ryushare is not used for that app, it has actually been used for a number of additional apps, listed at the end of this post.

After seeing multiple connections to this file sharing service via the Netskope Active Platform, I figured I should acquaint myself with the app, as we might see this in other customers. Surprisingly, no one else had seen this app in other enterprises, so I took the next step and sent it to our newly-formed Netskope Threat Research Lab. The team started digging into the app and found it was a free app with some premium services. This is pretty standard for a file sharing, or as we call it, Cloud Storage app. With our customer’s permission, the team dug a bit deeper and found that this same network connection was also launching an anonymous VPN service called gratisvpn to transfer traffic. THIS was the huge red flag! First, we noticed that the service was checking in with the Cloud Storage app every day at the same time. Second, we realized that the service was ALSO launching a VPN to hide the traffic that it was transmitting each time. Upon researching the IP address for this VPN service, we noticed that it terminated to a server in Australia! We discussed this with the customer, and learned that they have NO business in Australia and that NO data should be moving out of the United States at all!

After sharing this with the customer, they shared their concerns about these transactions, and further confirmed that the originating IP addresses were not part of their traditional user range. Upon further examination, it turned out that the IPs were associated with three NAS devices, and that all three showed signs of infection. The customer decided to format all of the drives to remediate the potential infection, and will, from here on out, monitor the organization’s outbound connections using the Netskope cloud access security broker to ensure no more leave the United States. While the customer took that approach, our recommendation to them would have been to replace the drives while keeping the old drives for forensic purposes. If their data is indeed found later in the wild or mentioned by a malicious actor, they would have been able to validate the claims. 

I am completely amazed at the power of the product I represent, and excited to see how it can help my customers. The customer is excited about the detailed the detection capabilities we provide.

Ten years ago, we would have never considered Cloud Storage, let alone how it could be used to exfiltrate data from an enterprise. Utilizing a defense-in-depth strategy to make sure each attack vector is protected is key. Netskope provides a high level of detail for all transactions across all cloud apps, not just Cloud Storage. Without this detail, our customer would have never known its data were comprised and being sent to Australia. Today, they can sleep easier knowing our CASB solution is blocking future transactions.

Apps that have used the IP address associated with Ryushare:


The post Finding Data Exfiltration During the Cloud App Discovery Process appeared first on Netskope.


Previous Article
5 tips for using a CASB to safely enable social media in your business
5 tips for using a CASB to safely enable social media in your business

From Facebook’s 1.65 billion monthly active users to Twitter’s rise as a mainstream broadcast media outlet,...

Next Article
Zepto variant of Locky ransomware delivered via popular Cloud Storage apps
Zepto variant of Locky ransomware delivered via popular Cloud Storage apps

Netskope Threat Research Labs has detected a new strain of the Zepto ransomware shared among cloud users. A...