Man-in-the-Cloud Attacks Not Easily Detected, and Hard to Recover From

You know about man-in-the-middle attacks, and you’ve heard of the man in the moon, but there is a warning of “man-in-the-cloud” attacks that can give hackers access to files stored in the cloud through popular synchronization services.

This type of attack is based on theft of the account holder’s password token, and at least in theory can be used against most file synchronization services, including Box, Dropbox, Google Drive, and Microsoft OneDrive.

The report notes that the attack is not easily detectible by common security measures, and that because it does not require the user’s account or password to be compromised, changing the password will not affect the attacker’s access. “Man-in-the-cloud” attacks have been observed in the wild, and the researchers say “recovery of the account from this type of compromise is not always feasible.”

“Our research has revealed just how easy it is for cyber criminals to coopt cloud synchronization accounts, and how difficult it is to detect and recover from this new kind of attack,” said Amichai Shulman, CTO of Imperva. “Since we have found evidence of MITC in the wild, organizations who rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as man in the cloud attacks use the in-place Enterprise File Synch and Share (EFSS) infrastructure for C&C and exfiltration.”

Experts recommend that businesses invest in monitoring and protecting critical data in the cloud and on-premises to detect abusive access patterns. A cloud access security broker and data and file activity monitoring solutions can provide the necessary information and protection together, the report suggests. It is also worth noting that the token can only be exploited in the first place by executing a “Switcher,” likely either by social engineering or malware, to copy the synchronization token into the cloud storage application.

“These services aren’t dangerous or insecure,” Schulman told ZDNet, declining to call the vulnerability a design flaw. “It’s kind of a trade-off between usability and security. It’s just the way things work.”

by Chris Burt,