“Man-in-the-Cloud” Attacks Leverage Storage Services to Steal Data

Popular cloud storage services such as Google Drive and Dropbox can be abused by malicious actors in what experts call “Man-in-the-Cloud” (MITC) attacks.

Imperva’s latest Hacker Intelligence Initiative report explains in detail how attackers can easily abuse common file synchronization services for command and control (C&C) communications, endpoint hacking, remote access, and data exfiltration simply by reconfiguring them.

One worrying aspect highlighted by Imperva in its report is that the attackers don’t even need to compromise targeted users’ credentials to gain access to their file synchronization accounts.

Researchers have conducted tests on Microsoft OneDrive, Dropbox, Google Drive, and Box, cloud applications that are utilized by many organizations and their employees to make data available to multiple users and devices.

These solutions work by connecting individual devices to a central hub in the cloud through the same user account. When a file is added to a device’s local repository, it is automatically synchronized with the hub and delivered to other devices.

In an effort to make it easier to manage files, many popular applications don’t require users to enter their account credentials each time synchronization is performed. Instead, authentication to the cloud relies on a synchronization token that is usually stored in a file, a registry, or the Windows Credential Manager on the user’s machine.

The problem, according to experts, is that even though this synchronization token is encrypted on the local device, it can be easily accessed and decrypted by an attacker. Malicious actors can synchronize their own devices with the victim’s account simply by copying this token to the right place on their own system.

Imperva researcher have developed a tool that can manipulate synchronization tokens to allow an attacker to gain access to the victim’s account and implicitly their data. The tool can be delivered to the victim via phishing or drive-by download attacks, experts said.

Once they have access to the victim’s account, attackers can steal the files placed in the sync folder. In addition to stealing information, attackers can also manipulate the files located in this folder (e.g. hold them for ransom by encrypting them, plant malicious code in existing files).

Malicious actors that want to maintain access to the victim’s machine can also set up a backdoor. This can be useful for using the victim’s cloud storage as part of an operation’s C&C infrastructure.

MITC attacks have several advantages. First of all, the synchronization tokens are easy to obtain and, in some cases, the attacker can maintain access to the account even after users change their password. For example, in the case of Dropbox, the tokens are not refreshed or revoked even if the password is changed. Google Drive has a more secure design since changing the password revokes all tokens and requires users to re-authenticate each device using account credentials.

Another advantage of MITC attacks is the fact that malicious code is typically not left running on the targeted machine, and data flows out through a standard, encrypted channel, which makes it less likely to raise any suspicion, experts said. Furthermore, even if the attack is detected, the victim might have to cancel the breached account to keep hackers out.

According to Imperva, attacks based on the architecture described in the company’s report have been spotted in the wild. One example is the Inception Framework analyzed last year by researchers at Blue Coat.

There seems to be an increasing trend in the use of legitimate services by threat actors. Last month, FireEye published a report on HAMMERTOSS, a malicious backdoor leveraged by the Russian group known as APT29. HAMMERTOSS attacks involve the use of Twitter and GitHub for C&C communications, and cloud storage services for data exfiltration.

Imperva advises organizations to mitigate such attacks by using cloud access security broker solutions to identify the compromise of cloud storage accounts, and by deploying database activity monitoring (DAM) and file activity monitoring (FAM) services to identify the abuse of internal data resources.

Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud (MITC) attacks is available online in PDF format.