Cloud-AI – An Artificial Intelligence on the Cloud

In 2015 we started on a mission to build an Artificial Intelligence system that can interact with the web like an intelligent human being. We did a demo of our first prototype in March 2016 at NullCon conference. Today we would like to share with you few breakthroughs we have made in this research. Also, we are open-sourcing certain modules part of our use case.


CloudSek’s Cloud-AI:

Humans know how to interact with a website or mobile application based on our past learning, together with some feedback from visual aids. We identify a clickable button based on a “label” or shape or even the size and color of objects. Current computer systems do not carry their experience along with them to new tasks. This is the challenge we are solving at CloudSek. We are building  Artificial Intelligence agents that can navigate the Internet like an Intelligent human being leveraging past experiences.

The Technology:

At CloudSek we use a semi-supervised learning model. This is because humans have generated a vast amount of data on how they have interacted with the web. We use this data to train our models to achieve our tasks successfully. This method also helps us complete challenging tasks which otherwise is highly time-consuming for the many reinforcement Models. And after 14 months of tagging and building the supervision dataset, we have begun seeing amazing results.

Cloud-AI detecting web objects

Cloud-AI successfully identified and classified input boxes, buttons, and navigation links with minimal false positives. With Cloud-AI, we can successfully interact with mobile, web or virtually any application out there with a GUI.

Introduction:

In 2015, Amazon released Amazon Echo, an artificially intelligent personal assistant (Bluetooth speaker) that can hear, comprehend, and answer any question. Google is already testing its self-driving vehicles in multiple cities. Companies are building technology that can assist humans in our day to day activities. At CloudSek we use artificial intelligence to create agents that can navigate tricky areas of the internet and perform complex tasks that are otherwise boring and time-consuming.

The idea of automating web task is nothing new. But developing automated systems that can interact and navigate any interface on the Web is something entirely different, and the stakes are much higher. For example, Amazon Echo can order items for you from Amazon shopping portal. Echo configured with many Amazon API’s help place that orders for you. But Echo would never be able to order something from Alibaba or any similar unknown portal.  In the future, we could use our Cloud-AI to assist us, order anything on the Internet or perform complex tasks, saving time.

Cloud-AI is fast and accurate, and we currently use this technology to power our x-Vigil, CloudMon set of products.

CloudSek “x-Vigil” monitors various internet sources, social media platforms, underground/discussion forums, infiltrated data, etc. and uncovers a broad range of threats and provide real-time alerts without any manual intervention.

CloudSek “CloudMon” monitors various internet exposed infrastructure [Cloud Applications, Websites, etc.] for critical security issues.

A Cloud-AI agent identifying an error and automatically fixing it.

A Cloud-AI agent identifying an error and automatically fixing it.

One place CloudSek uses Cloud-AI is automated monitoring of web applications and Cloud infrastructure. Instead of humans manually testing Cloud applications, we use machines, that can continually improve and learn from each test cases.

Cloud-AI: – Use cases and results in Application Security.

One of the most reported security issues on Facebook was the insecure direct object reference.
Insecure direct object reference.
Applications frequently use the actual name or key of an object when generating web pages.  Applications don’t always verify if the user is authorized for the target object. This results in an insecure direct object reference flaw.

For example, a delete account functionality:

http://domain.com/delete-account.php?userid=5555

Attacker User-id = 5555

Victim   User-id  = 6666

Attackers can easily manipulate parameter values to detect such flaws. The challenge in finding such an easily identifiable security bug is the difficulty reaching a flawed endpoint for an automated tool. And manually testing one such bug is time-consuming.

In the past few months, we were using Cloud-AI technology to interact with many popular and modern web applications for automated testing of insecure direct object reference bugs. One platform we choose for testing was LinkedIn (due to the simplicity of web interface and its popularity).

Testing for Data Leaks on LinkedIn:
We were able to identify 10 insecure direct object flaws in LinkedIn. Normally these bugs would have been hard to find manually and impossible by automated tools. We have responsibly reported these bugs to LinkedIn. We are listing few issues that are fixed.
Exploits:
1)  Leak any users email id on LinkedIn.
2) Leak users email and phone number and resume.
3) Delete every user’s  LinkedIn request.
4) Download every transcript to videos from Lynda.
5) Download every exercise files without a premium membership (Lynda).

Even though all of the bugs were fairly simply, the efforts to identify them were relatively high. Cloud-AI system had to fill multiple forms and follow valid patterns to reach the vulnerable endpoints. These endpoints often get missed by existing automated tools as well as manual analysis.

For example,
1)  Leak any users email id on LinkedIn.

LinkedIn has an option that allows recruiters to share selected candidates profile with any other hiring manager. The following request would share a candidate’s profile with another user. Modifying the member request to target’s id will reveal the victim’s email.

POST /cap/candidate/forwardProfilesAjax HTTP/1.1
Host: www.linkedin.com

csrfToken=ajax&newHiringManagerMemberIds=&forwardTo=&msgBody=Hello&_action_forwardProfilesAjax&projectId=&memberIds=[Victim ID]

To invoke the above request Cloud-AI had to successfully,

a) log into LinkedIn

b) reach share profile option

c) choose a valid user from a drop down

d) type in a message and click send button to submit the request.

linkedin bug

And the response leaked other users email.

Leaked info with victim name and email.

Leaked info with victim name and email.

Other bugs are relatively similar, but Cloud-AI had to complete multiple successful chained operations to invoke the weak endpoint.

2) Leak users email and phone number and resume.
Manipulating memberIds in the following request allows an attacker to view victim’s resume.

GET /cap/applicant/profileExportPdf?trackingSearchId=[id]&memberIds=[Victim IDs]

Only users who have applied for a job via LinkedIn were vulnerable, and hence this issues was only affecting a subset of users.

 

3) Delete every user’s  LinkedIn request.
The following request was able to delete every request on LinkedIn just by manipulating request-id.
POST /people/invites/withdraw?isInvite=true HTTP/1.1
Host: www.linkedin.com
Connection: close
csrfToken=[]&Ids={victims request-id }

4) Download every transcript to videos.
The following request was able to download every video transcript from LinkedIn Lynda videos without any authentication.
GET /ajax/player/transcript?courseId=496475&videoId=509328

5) Download every exercise files without a premium membership Lynda.

GET /ajax/course/518763/download/exercise/543328
Response:

The response had all the exercise file details.

Responsible disclosure to the LinkedIn team:

The LinkedIn team responded and fixed all critical issues within 24hrs of reporting. We would like to thank the fantastic LinkedIn Security team (David Cintz, Luca Carettoni (lucalnkd), shellmeta(rpitke) ) for their support resolving the issues and proofreading this article.

Method and OpenSoure code

http mutation module

HTTP mutation module.

All the data generated by Cloud-AI was passed through a proxy server, which parsed the HTTP request variables and created a dataset. Later the dataset was used to mutate request values with which we were able to find the high-security issues. Our team manually verified the issues before reporting to the LinkedIn security team.

We have open sourced the code, which acts as the proxy and performs the mutation.

https://github.com/cloudsek/Mutator

Future of Cloud-AI:

Cloud-AI is currently a large dataset of how humans have interacted with the web. Our team is currently training Cloud-AI to be capable of doing more complex interactions. We will also integrate reinforcement learning into Cloud-AI so as to maximize the actions an agent can perform(useful for testing scenarios).

We will soon come up with APIs that will let individuals automate their task using Cloud-AI.

Work with us on Cloud-AI:

Cloud-AI machine learning systems currently have a fair accuracy rate, is self-learning and becomes more accurate as it interacts more with the web. However, as the team working on Cloud-AI believes, it is never perfect and is always in development. Or as we like to put it, we are always looking for awesome people to join our great team.

About CloudSek:

CloudSek is an artificial intelligence technology-based risk management enterprise, which focuses on customized, intelligent security monitors.

CloudSek’s, SaaS-based products help a client, assess security real-time from the perspective of an attacker 24×7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Machine Learning and Artificial Intelligence to identify risks.


Project Team:

Lead: Rahul Sasi

Infrastructure and Data Acquisition: Finny Abraham, Rohit Sharma

AI agents: Rahul Damineni, Surya Teja

ML and Data Classification: Bofin Babu, Girish Menon

 

Santa-APT: Android and Blackberry Malware Technical Analysis Part 2

CloudSek is an artificial intelligence technology-based risk management enterprise, which focuses on customized, intelligent security monitors.

Cloudsek’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Machine Learning and Artificial Intelligence to identify threats.

The blog is an analysis of some critical information CloudSek acquired from our data partner.

At CloudSek we monitor and attribute all potential threats that affect Cloud services. In our previous blog we wrote about a group of attackers code named as Santa-APT that was functioning as a cyber crime unit as well as an APT. This team targeted Cloud servicing vendors as well.

Santa-APT team had multiple games and apps on Playstore as well as other android markets. These games never had all permissions required to do full data theft. The actual malware payloads came as updates.  They not only had Android Malwares but Blackberry versions too. In this blog we will provide more technical details regarding their payloads. Continue reading

Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps

addtext_com_MTcwNzQ3MTQ2NDA3

CloudSek is an artificial intelligence technology-based risk management enterprise, which focuses on customized, intelligent security monitors.

Cloudsek’s SaaS-based products help a client, assess security real-time from the perspective of an attacker 24*7. Our monitors track our client’s various Internet-based resources for potential security risks. Instead of using traditional static threat detection engines and manual verification process our monitors use Machine Learning and Artificial Intelligence to identify threats.

The blog is an analysis of some critical information CloudSek acquired from our data partner.

Overview:

CloudSek monitors were researching the activities of an APT [Advanced persistent threat ] that is targeting software companies globally.What is interesting is this APT appear to conduct widespread intellectual property theft for economic gains, targeted individuals as well as performed intelligence gathering that would be useful for governments. Based on our analysis , the attacker have recently launched campaigns to target Christmas season. Malware masquerades as Santa Claus and many similar Christmas Apps. Continue reading