Hackers Abusing Glitch Platform to Steal CredentialsAttacks on Free Version Are Reportedly Able to Bypass Any Defensive Tooling
Researchers have uncovered an ongoing spear-phishing campaign using short-lived Glitch apps that host credential-harvesting URLs while evading detection.
The researchers say that the phishing campaign started in July 2021 and is ongoing. Glitch is a cloud-based hosting solution that provides a tool for creating websites and full-stack apps, supported by creators ranging from brand-new coders to expert developers.
"The targets of the spear-phishing campaign are employees at major corporations with what appear to be an emphasis on employees operating in the Middle East. Upon further pivoting, this looks to be just a single campaign in a long line of similar, SharePoint-themed phishing attempts," says Chad Anderson, senior security researcher at DomainTools and author of the post.
Vulnerabilities Are Trade-Off for Ease of Use
A spokesperson for Glitch tell Information Security Media Group that it has been working proactively on this issue for years, and it has been successful in bringing the overall potential risks down to a very small number, with the help of partners in the ecosystem who work on reporting trust and security issues.
"We’re blocking the vast majority of potentially harmful apps before they’re even exploitable in the ecosystem. These vulnerabilities arise as a trade-off with our choice to make app creation extremely easy on Glitch; we do this specifically because that easy access is particularly valuable to audiences like students in classrooms, whom we are committed to serving," the spokesperson tells ISMG.
Nonetheless, the platform will likely be held responsible by many. "It’s particularly challenging for developers to keep on top of identifying bad actors and throwing them off the platform, but it’s essential if the platform is to remain trusted," Alan Calder, CEO of GRC International Group, a global provider of IT governance, risk management and compliance solutions, tells ISMG. He adds, "Virtually any trusted service that enables (free) sharing of content is likely to be exploited by cybercriminals."
While monitoring and hunting for malicious documents tied to previous campaigns, the researchers found a PDF document purporting to be an invoice. The PDF did not contain any malicious content, but it had a URL that linked to an outside page.
"This would normally be uninteresting except that an email address was appended to the URL as a fragment. Fragments in URLs are the part after an octothorpe (hash symbol) and typically reference an 'id' element on an HTML page, but that can be manipulated using CSS," Anderson says in the post. "What made this intriguing was that the email address belonged to a legitimate employee at a corporation based in the United Arab Emirates."
Suspecting a spear-phishing campaign, the researchers quickly uncovered 70 similar documents dating back to July 30, 2021, all with email addresses of actual individuals working at large corporations.
"Each document contained a different URL and email address of the target individual, making each unique. Though each URL and email was one of a kind, the documents themselves did link to the same named page each time: red.htm," Anderson notes.
This free version of Glitch's product allows an app to operate for five minutes exposed to the global internet with a Glitch-provided hostname using three random words, he says.
"Spaces where code can run and be hosted for free are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest. This delegation of trust allows attackers to use a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust."
Ability to Bypass Any Defensive Tooling
The researchers say that by combining this method with captured credentials to compromised WordPress sites, the hackers have built an attack chain that can sneak past any defensive tooling.
"For example, one document directed the recipient to hammerhead-resilient-birch.glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again," Anderson notes. "This ephemeral nature makes Glitch shared spaces perfect for serving up malicious content, especially because Glitch’s domains are trusted and often allow (being) listed on many networks already."
The blog post says the DomainTools Research team contacted Glitch about this issue, but it had not yet heard from the company by the time it published its report.
A Glitch spokesperson, however, tells ISMG that the organization has invested a lot in responding quickly to issues as they’re reported to them, and its mean time to resolution has dropped even as its usage has grown.
The focus of any expenditure should be people, suggests Javvad Malik, lead security awareness advocate at security firm KnowBe4, who says it's a reminder of the limits to what tools can achieve and that not everything can be protected with a tool. Malik says, "[That] is why it's equally important to educate, train and raise awareness among employees of these kinds of threats. People are far better equipped at spotting and reporting such attacks which evade security tools - as long as they have been taught how to. So despite the technologies in place, organizations should always continue to invest in their people."
Malik describes this latest tactic to use the Glitch platform as a particularly clever technique to evade detection by security tools because: "The phishing email sent to the user contains no malware, the link going to Glitch is deemed safe by most security products, and the short-lived URLs means that there isn't anything to blacklist."
“This is neither a new nor an unexpected tactic being used by threat actors. Reputable, public and enterprise-used platforms like Glitch have been a tactic used by actors hosting their tools or phishing sites for a long time," says Zeki Turedi, CTO EMEA at cybersecurity firm CrowdStrike. "As they are typically already used and trusted within an enterprise organization, it makes it easier for the threat actor to hide in plain sight."
Due to their ephemeral nature, however, the phishing pages uncovered by the researchers contained a live page serving up a next-stage payload.
The researchers note that "a number of tools exist that help to hunt in this case. The first was URLScan, where one can search through all of the scanned sites over the last month. While there were dozens of other URLs which led to new documents, this unfortunately just showed that many others were coming across the same issue of deactivated pages."
While examining other OSINT sources, the researchers also uncovered a live site on the Any.Run service, an interactive malware hunting service provider, which can be used to hunt for specific interactions from malicious code.
The finding in this malware-hunting provider did not contain the next-stage payload, but it contained a screenshot of the Microsoft SharePoint phishing login being used to lure the victim.
"While the page content was not available, DomainTools Research did take note of the document name as well as the redirect to 'in.htm' as the next page after the 'red.htm' page in the initial PDF document. Searching for this document name on VirusTotal, the DomainTools Research was able to locate a number of matching HTML documents that tied to previous PDFs."
Anderson said this was possible due to the email addresses that prepopulated on the page, as the initial PDF documents were designed to pass the email of the target along as a URL fragment.
"We have seen similar activities with the likes of GitHub and GeoCities, many years ago. This is why it is important that organizations are not just focusing on trying to identify suspicious activity in their organization from a network level - but actually gathering the fine details from the endpoint device or workload, etc.,” Turedi notes.