Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

“Man-in-the-Cloud” Attacks Leverage Storage Services to Steal Data

Popular cloud storage services such as Google Drive and Dropbox can be abused by malicious actors in what experts call “Man-in-the-Cloud” (MITC) attacks.

Popular cloud storage services such as Google Drive and Dropbox can be abused by malicious actors in what experts call “Man-in-the-Cloud” (MITC) attacks.

Imperva’s latest Hacker Intelligence Initiative report explains in detail how attackers can easily abuse common file synchronization services for command and control (C&C) communications, endpoint hacking, remote access, and data exfiltration simply by reconfiguring them.

One worrying aspect highlighted by Imperva in its report is that the attackers don’t even need to compromise targeted users’ credentials to gain access to their file synchronization accounts.

Researchers have conducted tests on Microsoft OneDrive, Dropbox, Google Drive, and Box, cloud applications that are utilized by many organizations and their employees to make data available to multiple users and devices.

These solutions work by connecting individual devices to a central hub in the cloud through the same user account. When a file is added to a device’s local repository, it is automatically synchronized with the hub and delivered to other devices.

In an effort to make it easier to manage files, many popular applications don’t require users to enter their account credentials each time synchronization is performed. Instead, authentication to the cloud relies on a synchronization token that is usually stored in a file, a registry, or the Windows Credential Manager on the user’s machine.

The problem, according to experts, is that even though this synchronization token is encrypted on the local device, it can be easily accessed and decrypted by an attacker. Malicious actors can synchronize their own devices with the victim’s account simply by copying this token to the right place on their own system.

Imperva researcher have developed a tool that can manipulate synchronization tokens to allow an attacker to gain access to the victim’s account and implicitly their data. The tool can be delivered to the victim via phishing or drive-by download attacks, experts said.

Once they have access to the victim’s account, attackers can steal the files placed in the sync folder. In addition to stealing information, attackers can also manipulate the files located in this folder (e.g. hold them for ransom by encrypting them, plant malicious code in existing files).

Malicious actors that want to maintain access to the victim’s machine can also set up a backdoor. This can be useful for using the victim’s cloud storage as part of an operation’s C&C infrastructure.

MITC attacks have several advantages. First of all, the synchronization tokens are easy to obtain and, in some cases, the attacker can maintain access to the account even after users change their password. For example, in the case of Dropbox, the tokens are not refreshed or revoked even if the password is changed. Google Drive has a more secure design since changing the password revokes all tokens and requires users to re-authenticate each device using account credentials.

Another advantage of MITC attacks is the fact that malicious code is typically not left running on the targeted machine, and data flows out through a standard, encrypted channel, which makes it less likely to raise any suspicion, experts said. Furthermore, even if the attack is detected, the victim might have to cancel the breached account to keep hackers out.

According to Imperva, attacks based on the architecture described in the company’s report have been spotted in the wild. One example is the Inception Framework analyzed last year by researchers at Blue Coat.

There seems to be an increasing trend in the use of legitimate services by threat actors. Last month, FireEye published a report on HAMMERTOSS, a malicious backdoor leveraged by the Russian group known as APT29. HAMMERTOSS attacks involve the use of Twitter and GitHub for C&C communications, and cloud storage services for data exfiltration.

Imperva advises organizations to mitigate such attacks by using cloud access security broker solutions to identify the compromise of cloud storage accounts, and by deploying database activity monitoring (DAM) and file activity monitoring (FAM) services to identify the abuse of internal data resources.

Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud (MITC) attacks is available online in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.