Attackers can take advantage of some GoogleAppEngine features to dynamically generate an infinite number of subdomains, which will be considered safe by most corporate antiviruses.
Google App Engine Problems
Cyber security researcher Marcel Afrahim described a technique for transforming the Google App Engine platform into a tool for replicating malicious domains that would go unnoticed for most corporate protections.
Google App Engine is a cloud service for developing and hosting web applications on Google servers. Its infrastructure and routing method do not allow blocking a separate subdomain or web application, which creates a serious security problem.
Attackers often use legitimate cloud services to host malicious applications, control servers or phishing pages. As stated in BleepingComputer, in most cases, however, the domains being generated have a URL structure that makes it easy to monitor and block them at the level of corporate security tools. For example, the Microsoft Azure web application will have the address https://example-subdomain.app123.web.core.windows.net/.
By blocking incoming and outgoing requests for this subdomain, you can be insured against attacks from a malicious application hosted on it.
With Google App Engine, however, the situation looks different. The standard URL for the subdomain in the GAE contains not only the name of an application or service, but also its version, the ID of the project to which it belongs, and the ID of the region the server is located in: <version>.<service>.<project>region ID;.r.appspot.com.
The most important thing is that if the version parameter is specified incorrectly, Google App Engine does not return the 404 error (“Page not found”), but displays the user on the “default” application page, i.e. performs “soft routing”. The key, according to Afrachim, is that project and region identifiers are specified correctly. The rest of the URL components may be essentially any.
According to Afraheem, this could mean that an attacker can create an arbitrary (unlimited) number of domains, and everyone will represent the same potentially malicious application. This means that it will be very difficult to block it.
Moreover, all these subdomains will be classified as safe. Both the domain appspot.com, and all its subdomains most of the corporate antivirus and filters are automatically considered as safe and do not check the content coming from them.
All these cybercriminals are already using
Security expert Yusuke Osumi last week discovered a phishing page allegedly owned by Microsoft and compiled a list of more than 2,000 Appspot.com subdomains that redirect users to that page. The domains were generated by a phishing application.
In the past, the Cloudflare domain generation system worked on a similar principle, which was used by Astaroth malware developers to bypass any protection.
Now the operators of malware placed in Appspot.com can use the service routing architecture to bypass different forms of protection, including those based on compromise indicators (IOC): they will be different for each domain.
“This is another indication of the need for multilayer protection,
– points out Anastasia Melnikova, information security expert at SEC Consult Services.
– Corporate firewalls can be useless when it comes to using absolutely legitimate resources with their own architectural features by attackers. Though, of course, ideally Google should review its approach to domain generation in AppEngine”.