Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Man-in-the-Cloud Attacks rely on common file synchronization services to hack cloud account

Popular cloud storage services such as Google Drive and Dropbox can be abused by hackers running Man-in-the-Cloud (MITC) attacks. The recently issued Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud (MITC) attacks details how threat actors abuse popular cloud storage services for illegal activities. The experts have analyzed a number of cloud storage services including Dropbox, Google Drive, Box, and Microsoft OneDrive. […]

Man-in-the-Cloud Attacks rely on common file synchronization services to hack cloud account

Popular cloud storage services such as Google Drive and Dropbox can be abused by hackers running Man-in-the-Cloud (MITC) attacks.

The recently issued Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud (MITC) attacks details how threat actors abuse popular cloud storage services for illegal activities. The experts have analyzed a number of cloud storage services including Dropbox, Google Drive, Box, and Microsoft OneDrive.

The report shows how hackers exploit common file synchronization services for command and control (C&C) communications, remote access, data exfiltration and endpoint hacking by reconfiguring them.

The disconcerting consideration made the expert at Imperva is that attackers can gain access to file synchronization accounts without compromising victim’s credentials.

Let’s start with the fundamentals, synchronization services of cloud storage services work in a simple as effective way, when users add a file to the local repository on their device, the content of the repository is automatically synchronized with the central hub of the service provider.

To improve the user experience, the applications don’t require users to enter their account credentials each time the synchronization is performed, the service providers compensate with a transparent authentication mechanism that relies on a synchronization token.

The authentication token is usually stored in a file, a registry, or the Windows Credential Manager on the user’s device, but obviously something is not working as it should!

Man-in-the-Cloud token

The experts explained that even if the tokens are encrypted on the local device, hackers can easily access and decrypt them to synchronize any device with the victim’s account.

The researchers have developed a tool to run Man-in-the-Cloud attacks through the manipulation of synchronization tokens, they explained that the tool can be delivered to the victim via phishing or drive-by download attacks.

Man-in-the-Cloud attacks are easy to run, in some cases attacks can maintain access to the compromised account installing a backdoor, the access will be granted even after victims change their password.

The expert noticed that in the case of Dropbox, the authentication tokens not change even if the password is changed, meanwhile Google Drive revokes all tokens and requires users to re-authenticate each device using account credentials following a password reset.

Man-in-the-Cloud attacks are particularly difficult to track because the malicious code is typically not left running on the targeted machine and data traffic to/from the cloud architecture normally doesn’t raise any suspicion.

According to Imperva, threat actors are already running Man-in-the-Cloud attack in the wild, last year expert at Blue Coat uncovered the Inception Operation and recently researchers at FireEye described the HAMMERTOSS attacks that involved the use of Twitter and GitHub for C&C communications, and cloud storage services for data exfiltration.

Let me suggest the reading the Imperva’s Hacker Intelligence Initiative report on Man-in-the-Cloud attacks.

Pierluigi Paganini

(Security Affairs – Man-in-the-Cloud, cloud)