Man in the cloud attacks


Man in the middle (MitM) attacks are, unfortunately, both nothing new and well exploited out there in the wild. Could man in the cloud attacks emerge as the next attack surface ripe for exploiting?

Think of man in the middle attacks as being where an attacker (the ‘man’ bit) intercepts and changes the communication (the ‘middle’ bit) between two parties. Most commonly applied in the dodgy world of unsecured Wi-Fi, serious MitM cyber-criminals will also use other methods to insert themselves into the middle of your, say, online banking operations and access your accounts. If that wasn’t bad enough, things have just got worse in the attack middle ground: Imperva has revealed a new attack threat called the man in the cloud.

Man in the cloud (MitC) attacks are interesting, and worrying, as they do not require any exploits or the running malicious code in order to get a grip during the initial infection stage. Instead they rely upon the type of common file synchronization service that we have all become used to, the likes of DropBox or Google Drive for example, to be the infrastructure providing command and control, data exfiltration and remote access options.

Man in the cloud attacks are interesting, and worrying, as they do not require any exploits or the running malicious code

Simply by reconfiguring these cloud services, without end user knowledge and without the need for plaintext credential compromise to have occurred, the bad guys can turn cloud storage resources into what Imperva describes as a “devastating attack tool”, which is hard for common security measures to detect as the synchronization protocol being used makes it all but impossible to distinguish between malicious and normal traffic.

Think that’s bad, wait for the real kicker: Imperva also suggests that recovery of the compromised accounts may not always be possible. Fooled you, that wasn’t the real, real kicker, this is: man in the cloud attacks are not conceptual threats confined to security research labs, they have already been witnessed in the wild.

According to the Imperva Hacker Intelligence Initiative, Man in the Cloud (MitC) Attacks report, which you should read for the full technical details of how these MitC attacks work against specific cloud services, the basics of the process is as follows. Files added locally to a sync folder are uploaded to the cloud, and files loaded into the cloud are downloaded to the sync folder. Synchronization is made possible using cloud service provider software installed on the end station.

This software monitors the sync folder looking for changes which, once detected, are communicated to the cloud hub through a dedicated channel. Any change notifications received from the cloud hub, meanwhile, are mirrored locally. Obviously, in order to communicate with this cloud hub on behalf of the user requires authentications, but most cloud services avoid the use of what you might call ‘explicit’ credentials such as an account name and password, instead opting to use a synchronization token.

The reasoning being, from the cloud service perspective, that any compromise of the token would not compromise the entire account so the user can still revoke compromised token rights by way of account and password credentials. Which makes good security sense, or at least did until now. MitC attackers use a weakness of the synchronization token system whereby if an attacker gets hold of the token host_id value it can be all but impossible to revoke even if the password for the account is changed.

Imperva believes that since most enterprises allow their users to use these services, MitC attacks will become prevalent in the wild. It therefore encourages organisations to shift from preventing infections and endpoint protection, as far as the security focus of that organisation is concerned, to instead securing business data and applications at source. Here’s what Tim Erline, director of security and product management at Tripwire, thought of the research.

Organizations should evaluate the risk of any application that transfers data to a third party

“There’s no doubt that the cloud is fundamentally changing the attack surface for information security. Services like these file synchronization apps are part of a new world for both enterprises and attackers alike. Researchers have considered that these tools might be used for data exfiltration before, but this research provides a clear proof of concept. There are a number of ways to detect this type of attack.

“First, a successful MitC attack involves adjacent execution of code and possible exploit activity, which might be detected and prevented, but even the attack itself can be identified by monitoring your systems for specific changes. The MitC attack involves modification of ‘some specific files or registry keys.’

“Knowing what those keys and files are means that you can use existing tools to monitor them for changes. Organizations should evaluate the risk of any application that transfers data to a third party, whether that’s file synchronization or other services. An organization that allows use of these applications should ensure they can inventory where they are in use, and monitor those systems and applications for suspicious activity and changes.”