Cybercriminals abuse Googlebot servers to deliver malicious payloads in new campaign
Last year, a malware campaign used Google Adwords and Google Sites to spread malware. Later, another research revealed how hackers exploited Google’s search results to distribute the Zeus Panda banking Trojan.
Now, experts in digital forensics have identified unusual behavior in Googlebot servers, where malicious requests originate. This brings serious consequences because many vendors rely on Googlebot to such an extent that they allow it to influence their organizational security decisions.
The remote code execution vulnerability (CVE-2018-11776) identified in Apache Struts 2 in August of this year delivered JavaPayload through the URL; digital forensics experts noted that the campaign known as CroniX exploited this flaw to deploy cryptocurrency mining malware. The same malicious agent was being used to exploit the Googlebot service. The researchers noted that some of the offensive requests generated in the CroniX campaign actually originated on Google’s servers.
It should be noted that you have no choice but to trust Googlebot if you want your website to appear in the Google search results. Therefore, most providers simply rely on the legitimacy of traffic that comes through Googlebot servers. This implies that malicious requests that originated on Googlebot’s servers ignored some of the key security mechanisms without any authentication and may end up delivering malicious loads. If these IP addresses are automatically blocked by an organization’s mitigation mechanism, Googlebot will be blocked and this would decrease the organization’s ranking in Google search results.
In other words, Googlebot follows each link on its site and follows the link on these pages to allow Google to add previously unknown pages to expand its search database. This method also allows Google to analyze new websites before making them available to users. This method involves sending a GET request to each URL containing the links. Requests generated by Googlebot are based on the links on which they have no control and such links are never validated.
This method can easily be exploited by a hacker, deceiving Googlebot to send malicious requests to random victims; the attacker can add such links to a website and each of them will contain the destination address and the payload.
When Googlebot identifies the malicious link, it follows it and sends a malicious GET request to the destination address, and the request will maintain the operating payload. The researchers verified the method by manipulating Googlebot to send malicious requests to a managed IP address using two servers, one for the attacker and another for the target.
Digital forensics specialists from the International Institute of Cyber Security recommend that providers verify their level of confidence related to third-party services to ensure that there are multiple levels of security, and as well as validate the organization’s data. Google has been informed about the problem, it is expected that in the next few days the vulnerability will be solved.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.