The recently issued Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud (MITC) attacks details how threat actors abuse popular cloud storage services for illegal activities. The experts have analyzed a number of cloud storage services including Dropbox, Google Drive, Box, and Microsoft OneDrive.
The report shows how hackers exploit common file synchronization services for command and control (C&C) communications, remote access, data exfiltration and endpoint hacking by reconfiguring them.
The disconcerting consideration made the expert at Imperva is that attackers can gain access to file synchronization accounts without compromising victim’s credentials.
Let’s start with the fundamentals, synchronization services of cloud storage services work in a simple as effective way, when users add a file to the local repository on their device, the content of the repository is automatically synchronized with the central hub of the service provider.
To improve the user experience, the applications don’t require users to enter their account credentials each time the synchronization is performed, the service providers compensate with a transparent authentication mechanism that relies on a synchronization token.
The authentication token is usually stored in a file, a registry, or the Windows Credential Manager on the user’s device, but obviously something is not working as it should!
The experts explained that even if the tokens are encrypted on the local device, hackers can easily access and decrypt them to synchronize any device with the victim’s account.
The researchers have developed a tool to run Man-in-the-Cloud attacks through the manipulation of synchronization tokens, they explained that the tool can be delivered to the victim via phishing or drive-by download attacks.
Man-in-the-Cloud attacks are easy to run, in some cases attacks can maintain access to the compromised account installing a backdoor, the access will be granted even after victims change their password.
The expert noticed that in the case of Dropbox, the authentication tokens not change even if the password is changed, meanwhile Google Drive revokes all tokens and requires users to re-authenticate each device using account credentials following a password reset.
Man-in-the-Cloud attacks are particularly difficult to track because the malicious code is typically not left running on the targeted machine and data traffic to/from the cloud architecture normally doesn’t raise any suspicion.
According to Imperva, threat actors are already running Man-in-the-Cloud attack in the wild, last year expert at Blue Coat uncovered the Inception Operation and recently researchers at FireEye described the HAMMERTOSS attacks that involved the use of Twitter and GitHub for C&C communications, and cloud storage services for data exfiltration.
Let me suggest the reading the Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud attacks.
(Security Affairs – Man-in-the-Cloud, cloud)