SAN FRANCISCO — We’re familiar with ransomware that attacks endpoints, databases and networks. But a lesser-known form of ransomware targets cloud and SaaS assets, operates entirely within web browsers, and can evade endpoint protections completely, said Nishant Sharma, a threat researcher at Zscaler, in a presentation at the BSides SF hacker conference here last week (March 22).”Industry has invested a lot of money in EDR anti-ransomware features. But there’s another vector,” said Sharma. “We’re spending more and more time in the browser. More services move to the browser all the time, most recently LLMs like ChatGPT.””Traditional” ransomware attacks your endpoints and makes sure you can’t access your files, Sharma explained. But files and other assets held in cloud services and in SaaS apps may be just as valuable and, because they have less protection, are considerably more vulnerable.That’s because browsers are the gateway to cloud services, and browsers are under-protected. Attacks on browsers, whatever their intent, often involve identity theft, and theft of credentials, session cookies, and OAuth tokens creates opportunities for ransomware attacks upon SaaS apps and cloud storage.”Browser attacks are becoming more common,” Sharma said. “Yet browser security is still not there.”To demonstrate his point, Sharma ran through the steps of a mock ransomware attack leveraging Gmail to target Dropbox.First, a malicious email lures the victim to a legitimate-looking website that invites the victim to log in using their Google credentials.When the victim tries to do so, a pop-up from Google warns that the victim has to trust the website and that using Google credentials gives the site permission to “read, compose, send and permanently delete all your email from Gmail.”That warning might put off some users from logging in, but others would just go ahead and grant the permissions. It may also be the only thing protecting the victim’s files from compromise.The victim is then redirected to a nice-looking interface. But, as Sharma pointed out, the attacker now can read all of the victim’s email messages and can comb through archived messages to discover which online services the victim has signed up with.The attacker then tries to log in to the victim’s Dropbox account, forcing a password-reset procedure that sends a reset token to the victim’s Gmail address. If the victim does not have MFA enabled — or if Dropbox sends a one-time passcode to the victim’s Gmail account — then the attacker gains control of the Dropbox account.As the final stage of the attack, the attacker downloads all the victim’s Dropbox files, deletes or encrypts everything in the Dropbox account, and replaces the files with a ransom note.”This all happens in the browser,” Sharma said. “The endpoint is not touched. EDR software notices nothing.”A similar permission-granting technique could be used to get full access to the victim’s Google Drive, or to many other cloud-storage and SaaS services, Sharma said.This kind of attack is certainly happening already, Sharma said, but it doesn’t make headlines because it’s more effective on consumers than on enterprises, which protect their cloud and SaaS assets more strongly.In terms of what kinds of mitigation are available, Sharma recommended security solutions that can sit in the browser, or as an intermediary between the browser and the internet. Strong MFA would likely stop some account takeovers, but not in all cases.Asked whether such attacks could succeed using stolen credentials, or stolen session cookies that can bypass MFA, Sharma replied, “Yes. There are hundreds of vectors.”
