Man in the Cloud (MITC) Attacks

GoogleDrive, OneDrive, Dropbox can be hacked without user’s passwords

You may most probably have heard of Man-in-the-Middle attacks where a malicious actor makes a cyber attack by inserting himself between the sender and receiver and gain access to their confidential and/or valuable data. While last couple of years, the giant enterprises of world got so shocked by  Man-in-the-Middle attacks,well,now they have something more to worry seriously about.

According to the latest research presented in Black Hat conference 2015,Las Vegas, Man-in-the-Cloud(MITC)  is the new type of cyber attack which gets access to cloud-based files, get this,even  without using any particular malicious code  or compromising the victim’s user name or password, thus making  it really difficult to detect.  If  it’s not explicit credentials  or Man-in-the-Middle, what is it?,you may be wondering. The magic wand is synchronization token. 

Let me explain how it happens,as per the  Black Hat conference .MITC attacks are driven on file synchronization services such as GoogleDrive, OneDrive, Dropbox, and Box as their infrastructure for command and control (C&C), data exfiltration, and remote access.File  synchronization allows the users to have the most updated copies of file repositories across the multiple devices.Service providers through a synchronized software installed at the user end,checks for changes made in the cloud hub and mirrored them locally in “sync folder” through a dedicated channel and vice versa. Authenticating to cloud is mostly done using a synchronized token by them which would not compromise the whole account but gives the ability to share with other collaborators through compromised token.

Now let’s see how the vulnerability of synchronization token open space for MITC attacks.

    ⦁ After the authentication process with explicit credentials,file synchronization does not require them again for any further operations since it’s done through synchronization token.

⦁ This machine independent token would be then stored in a file or a registry depending on the service provider.

⦁ The attacker creates an account and stores a synchronization token which represents attacker’s account in the victim’s machine’s appropriate place.

⦁ Then the needed token is copied to victim’s sync folder,so now the attacker has the token which is being synchronized with his created account

That is it, easy peasy! No middle-man thing ,No username,No password.

See,that is why it is hard to avoid MITC attacks or to trace them because no footprint is left as such,but just a simple code 

                                                                ⦁      to modify file

                                                                ⦁ to do a registry edit

Even though the thought of exposing your cloud based data to a state which can possibly be hacked would give you goosebumps, still a totally trusted solution cannot be recommended.An enterprise can use Cloud Access Security Broker (CASB) to monitor and detect an abnormal behavior in their file synchronization services.So it is finally if your dedication towards controlling access to synchronized file is highter,the security level would be higher,which on the other hand need not to be mentioned.