Gabagool Leveraging Cloudflare’s R2 Storage Service To Bypass Security Filters

   November 20, 2024  Posted in CyberSecurityNews


A sophisticated phishing campaign dubbed “Gabagool” that targets corporate and government employees has been uncovered recently by the TRAC Labs team.

This campaign exploits Cloudflare’s R2 storage service to host malicious content, leveraging Cloudflare’s trusted reputation to evade security filters.

SIEM as a Service

The attack begins with compromised mailboxes sending phishing emails to other employees. These emails contain an image disguised as a document with an embedded malicious URL-shortened link.

When clicked, users are redirected through a chain of file-sharing platforms before landing on a Cloudflare R2 bucket page.

TRAC Labs team researchers discovered that the phishing landing page is hosted on a Cloudflare R2 bucket with a URL format: pub-{32 hexadecimal characters}.r2.dev/{html_filename}.html.

This setup allows attackers to bypass security measures by utilizing Cloudflare’s trusted infrastructure.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Technical Analysis

Gabagool employs various methods to detect and evade bot activity:

  1. Webdriver checks
  2. Mouse movement detection
  3. Cookie tests
  4. Rapid interaction detection

If bot activity is suspected, the user is redirected to a legitimate domain. Otherwise, the phishing page is loaded after a 2-second delay.

Infection chain (Source – Medium)

The phishing page uses AES encryption to protect its server address. It captures user credentials and sends them to the attacker’s server (o365.alnassers.net) for harvesting.

Gabagool can handle various multi-factor authentication (MFA) methods, including:

  1. PhoneAppNotification
  2. PhoneAppOTP
  3. OneWaySMS
  4. TwoWayVoiceMobile
  5. TwoWayVoiceOffice

This capability allows the attackers to potentially bypass MFA protections.

To detect Gabagool attacks, security teams should:

  1. Monitor for unusual connections to Cloudflare R2 buckets
  2. Watch for traffic to known malicious servers like o365.alnassers.net
  3. Review network traffic data sent to suspicious servers
  4. Utilize public URLScan queries to identify potential threats

Besides this, researchers urged that organizations must remain vigilant and adapt their security measures to protect against sophisticated campaigns like Gabagool.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free



Source link