Popular cloud-based file-sharing service Dropbox wants to be all things to all people, with big plans to share application metadata — game saves, settings preferences and so forth — as well as raw files across devices and platforms.But when Dropbox CEO Drew Houston announced last week that Dropbox intends to “replace the hard drive,” he probably didn’t expect Chinese hackers to take him up on it so quickly.
Comment Crew, the same Chinese cyberespionage team thought to be behind the recent attack on The New York Times, has been using publicly shared Dropbox folders to spread malware, reports Arlington, Va., digital-security firm Cyber Squared.
“The attackers have simply registered for a free Dropbox account, uploaded the malicious content and then publicly shared it with their targeted users,” a Cyber Squared blog postingexplained last week.
For malicious hackers, Dropbox is an attractive malware distribution platform because it’s widely used in the corporate environment and is unlikely to be blocked by IT security teams.
In this way, Cyber Squared wrote, “the attackers could mask themselves behind the trusted Dropbox brand, increasing credibility and the likelihood of victim interaction with the malicious file from either personal or corporate Dropbox users.”
When a Dropbox file is publicly shared, the persons with whom it’s shared receive emails from Dropbox informing them of the share, along with a link to the file on the Dropbox website.
In the attack Cyber Squared examined, normal procedure was followed, but the shared file was an infected Word document of interest to China’s neighbors, indicating a “spear phishing” attack.
The Word document concerned commercial relations between the United States and the 10 members of the Association of Southeast Asian Nations, nine of which ring the South China Sea.
Embedded in the Word document was what seemed to be a PDF file on the same topic, but which was really malware exploiting a hole in Adobe Flash Player.
The malware copied itself to the targeted user’s hard drive, then reached out for instructions to a WordPress blog, which itself appeared to be a boring recitation of Asian trade statistics.
But seemingly decorative strings of text nestled among the postings on the WordPress blog were full of meaning.
For example, the strings “@@@@@@126.96.36.199@@@@@@” or “######443######” may not look like much to the untrained eye.
The first string includes an Internet Protocol address, which computers use to find websites; the second string references port 443, which the Internet Protocol sets aside for encrypted Web connections.
The WordPress blog was thus telling the malware where to go for further instructions and which port to connect on. (The URL in the example above is TechNewsDaily’s own.)
Cyber Squared didn’t wait to see what would happen after the malware received its instructions. Previous Comment Crew attacks have included mass penetration of organizational network, theft of intellectual property and other data and installation of spyware to keep track of a targeted user’s online activities and communications.