Cisco Cloudlock Provides Proactive Blacklisting for OAuth Malware Recent Attacks Highlight the Problem In the last few months, a variety of high profile cyberattacks have exposed security gaps and raised…

Cisco Cloudlock Provides Proactive Blacklisting for OAuth Malware

David Gormley

Dave Gormley is a CISSP with over 10 years of security experience. He has held various Product Marketing and Product Management positions for BAE Systems, CA and PTC. Dave has worked in start-up environments at Bowstreet and Adesso Systems and was an early member of Forrester Research, helping customers with the evaluation and adoption of new technologies. He went to the University of Texas for an MBA in Marketing/Technology and currently lives in the Boston area.


Recent Attacks Highlight the Problem

In the last few months, a variety of high profile cyberattacks have exposed security gaps and raised concerns about the extent of potential damage from OAuth-related incidents. The recent Google Docs OAuth attack spread quickly and impacted over a million users in just a few hours (OAuth Attack Infographic). When researchers looked at the application and related activities in detail, it was clear that this was a malicious app deceiving users through a phishing campaign and legitimate OAuth workflow. The app was eventually shut down but the reactive and manual nature of the response was part of the problem because it gave this viral malware more time to spread. For more insight into how the attack worked see the Cloudlock OAuth Attack blog post and for a deeper dive into the technical details, see the Cisco TALOS post.

proliferation of oauth cloud apps

A Growing Challenge

Both the overall number of cloud apps and the volume of OAuth-connected apps continue to grow at a rapid pace. When you combine this with the lack of end user understanding about permission authorizations and the recent increase in OAuth attacks, it results in a major security concern for Security and IT leaders.

high risk oauth cloud apps

Prevention, Detection and Response

Protection against the OAuth attack vector is important and Cloudlock can help in this area with a combination of app discovery, user and entity behavior analytics and cloud data protection capabilities.  As with all cybersecurity efforts, preventive measures should be complemented with rapid detection and response capabilities. In most instances, Cisco Cloudlock empowers our customers to make security decisions and invoke policies that are best for their industry, culture and security posture. There are many cases when suspicious activity should be flagged and presented with contextual data to enable an informed decision.  In other more obvious scenarios such as a viral OAuth-based attack, time-to-respond is critical to limit damages. Undetected attacks of this kind can spread very quickly because of the connected nature of OAuth-enabled apps and the broad range of permissions that can be granted. Thus, they require a bolder and more concrete reaction to remediate the threat.

Cisco Cloudlock Blacklisting

The CyberLab organization within Cisco Cloudlock continuously monitors cloud events from millions of users around the globe looking for suspicious activity.  We also have thousands of customer, partner and internal touchpoints that can raise flags or submit suspicious events to the Cloudlock community forum to trigger investigations. While CyberLab researchers target early detection for a wide variety of cloud threats, one of their top focus areas is monitoring OAuth applications for indications of abnormal behavior.  By utilizing raw data from the Cloudlock customer base, incorporating feeds from Cisco Talos and multiple other forms of threat intelligence, they detect emerging threats in the cloud.  In past situations, such as the Google Docs OAuth attack in May, the team quickly recognized the suspicious activity and were able to identify the malicious apps.  They initially sent an alert to all Cloudlock administrators with recommended remediation steps.  Soon after, a stronger “revoke and report” response was invoked for all customers to limit their exposure to this rapidly spreading attack.

Once the dust had settled, we collaborated with companies who were impacted by the attack and they expressed a strong interest in an immediate revoke response when malicious apps have been definitively identified.  With that in mind we have created a more automated blacklisting capability that will immediately revoke access to a problem application and protect customers from further damage. Now, when the CyberLab determines an app as truly malicious, it’s added to the blacklist and our automated response happens in near real-time.  This results in revoking the OAuth token, monitoring to prevent future grants, logging the related events in our web app and notifying administrators.  Ultimately, the streamlined process will reduce response time and thus limit exposure in clear-cut instances of active attacks. This process furthers our goal of providing intelligent cloud enablement without exposing customers to any unnecessary risk to their users or data.

Additional Resources

  • Video: Connected Apps Risk. Provides further information on connected apps and how Cisco Cloudlock can help with OAuth-based attacks.

Interested in learning more about OAuth risk? Try our new OAuth Risk Assessment tool and in less than 60 seconds, uncover potential exposure from your connected 3rd party apps.

Get a Free OAuth Cloud Security Risk Assessment from Cisco Cloudlock

Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser