Full Report
[part 3 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal Our third video write-up covers abuse of cloud services. By signing up for free accounts, it is possible to gain access to small amounts of free resources, specifically processing time and bandwidth. However these resources are tightly controlled to maintain fairness across the many thousands of users who share the same platform. We aim to circumvent some of these controls in order to access more resources than should be allowed, and we demonstrate this on the Force.com platform which supports the ability for a developer to upload and execute custom code. Our proof-of-concept was to port Nikto into a Force.com application, and we named it Sifto.
Analysis Summary
# Tool/Technique: Sifto
## Overview
Sifto is a proof-of-concept tool developed to demonstrate the abuse of free cloud service resources, specifically on the **Force.com platform**. Its main purpose was to circumvent resource control mechanisms to execute prolonged or resource-intensive operations, achieved by porting the vulnerability scanner **Nikto** into a custom application running on Force.com.
## Technical Details
- Type: Tool (Proof-of-Concept Application)
- Platform: Force.com (Salesforce)
- Capabilities: Executing custom Apex code, utilizing platform resources (processing time, bandwidth), making outbound HTTP calls, receiving and processing emails, and automating administrative configuration changes within the Force.com environment.
- First Seen: August 2009 (Based on the publication date of the write-up following the BlackHat 09 presentation).
## MITRE ATT&CK Mapping
The techniques demonstrated primarily focus on initial execution within a cloud environment and lateral movement/configuration manipulation.
- **TA0001 - Initial Access**
- T1589.004 - Develop Infrastructure: Compromise Cloud Service
- **TA0002 - Execution**
- T1059.008 - Command and Scripting Interpreter: Cloud API
- **TA0005 - Defense Evasion**
- T1562.008 - Impair Defenses: Disable or Modify Cloud Control
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Implied, as results were exfiltrated via email)
## Functionality
### Core Capabilities
* **Resource Abuse:** Exploiting free allowances (processing time and bandwidth) of Force.com accounts.
* **Vulnerability Scanning:** Functioning as a port of the Nikto web scanner, executing nearly 3000 tests against a target server.
* **Initialization:** Scan initiation achieved via sending a specially formatted email to a dedicated Force.com address.
* **Result Exfiltration:** Scan results were returned to the attacker via email.
### Advanced Features
* **Automated Configuration Manipulation:** The application could execute Apex code that performed 'auto-browsing' of the Force.com administration interface to automatically add new target domains to the "Allowed Endpoints" list, bypassing a manual prerequisite for making outbound HTTP requests.
* **Event Loop Scaling:** Utilizing platform mechanisms (Apex code initiating subsequent actions via datastore triggers and email endpoints) to create persistent scanning loops.
* **Account Registration Automation:** Developed external scripts to automate the creation of numerous free Force.com accounts, enabling horizontal scaling by registering accounts across different geographic instances (e.g., NA6, AP1).
* **CAPTCHA Bypass:** Exploited a bug in the CAPTCHA script during automated registration that exposed the image text in ASCII format.
## Indicators of Compromise
Since Sifto is an application ported *into* Force.com, traditional file hashes/names are less relevant unless referring to the underlying Apex code artifacts. The key IOCs relate to the abuse method.
- File Hashes: N/A (Code executed within the platform environment)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Outbound HTTP requests originating from **Force.com infrastructure IPs** targeting an external victim server (during the scan phase).
- Emails sent to and from a specific **Force.com email address** used as the primary command interface.
- Behavioral Indicators:
- Automated series of administrative actions within a Force.com instance modifying security/whitelist settings (Allowed Endpoints).
- High volume of automated account registrations, potentially originating from a single source, targeting different geographical zones.
## Associated Threat Actors
* This POC was developed and demonstrated by SensePost researchers (as part of their BlackHat 2009 presentation).
* No specific established threat group was explicitly associated with the Sifto tool in the provided context as it was a research demonstration.
## Detection Methods
* **Signature-based detection:** Difficult, as the attack relies on native, legitimate functionality (Apex code, API calls, email infrastructure) of the Force.com platform.
* **Behavioral detection:** Monitoring for unusual administrative activities within Force.com developer accounts, such as automated modification of HTTP callout whitelist settings, especially shortly after account creation. Detecting excessive, automated account registration attempts.
* **YARA rules:** Not applicable for server-side cloud application abuse unless the Apex source code itself is obtained.
## Mitigation Strategies
* **Platform Hardening (Salesforce/Force.com Admin):** Regularly audit and restrict the use of Apex code capabilities that allow modifications to platform security settings (like the Allowed Endpoints list).
* **Limit Automation:** Implement measures to detect and block high-frequency, automated account creation attempts, particularly those attempting to bypass CAPTCHA mechanisms.
* **Resource Monitoring:** Implement stricter monitoring on resource usage per developer account to identify activities that attempt to scale far beyond typical use cases (e.g., prolonged event loop iterations or excessive external HTTP callouts).
## Related Tools/Techniques
* **Nikto:** The base scanning tool ported into the Sifto application.
* **Cloud Resource Abuse/Cloud-Native Threats:** Techniques involving leveraging free tiers, trial accounts, or legitimate developer environments (like AWS Lambda, Google Cloud Functions) for running malicious workloads.