Major cloud services such as Google Drive and Dropbox at risk from man-in-the-cloud attacks

Major cloud services such as Box, Google Drive, Dropbox and Microsoft OneDrive are at risk of man-in-the-cloud (MITC) cyber attacks, according to a research paper published by Imperva.

The firm said at the Black Hat security conference in Las Vegas that cloud-based businesses are vulnerable to exploitation by hackers, even claiming that data can be accessed without needing usernames or passwords.

Imperva revealed that if hackers gain access to a users authentication token, a unique log-in file, they can steal data and even inject malware or ransomware into an account.

The research team explained that hackers are able to insert an internally developed tool named Switcher into a system through a malicious email attachment or a drive-by download that uses a vulnerability in browser plug-ins.

From an attackers point of view, there are advantages in using this technique. Malicious code is typically not left running on the machine, and the data flows out through a standard, encrypted channel. In the MITC attack, the attacker does not compromise explicit credentials, the report stated.

Furthermore, this method of hacking works in such a way that end users may not be aware that their account has been compromised.

In some circumstances, according to Imperva, the only option is to delete the compromised account as the token acquired by a hackers used to get access will remain in place regardless of a password change.

The report said that it is unlikely that an unsuspecting victim who is not carefully monitoring device-sync activity will detect an intrusion.

It is extremely difficult to recover from an attack once it is detected, and may require the victim to cancel the existing account and open a new one, Imperva said.

Amichai Shulman, chief technology officer at Imperva, warned that businesses using cloud services need to be aware of the risks.

Since we have found evidence of MITC in the wild, organisations that rely on protecting against infection through malicious code detection or command and control communication detection are at a serious risk, he told V3.

Taking over an endpoint is only putting the foot in the door. Attackers are usually after corporate data stored in databases and file servers and processed through business applications.

Meanwhile, Itsik Mantin, director of security research at Imperva, told V3 that the new attack is almost invisible from the users perspective.

However, he noted that for some of the cloud services examined, the user may receive notification mail from the cloud service, notifying that the account was accessed from a new device or new geo-location.

Mantin added: Personal cloud services like Dropbox give the attackers new ways to get into the organisation, and in the new attack to smooth their way to the victims data and ease the exfiltration of the data to the attackers premises.

Tim Erlin, director of security and product management at Tripwire, explained that the end game of this sort of attack can vary.

MITC provides the attacker with a functional capability to exfiltrate data from and deliver data to a system. That capability can have many uses for an attacker, from stealing sensitive information to delivering malware, he told V3.

Erlin stressed that the MITC attack has to start with some other attack to execute the initial Switcher code, and that individual users should avoid clicking on files theyre not sure of.

The capabilities afforded by the cloud provide advantaged and additional risk. If we find a tool useful for business, we should expect attackers will too because cybercrime is, after all, big business, he warned.

V3 contacted a number of the companies involved in the study for comment but received no replies by the time of publication.

A strain of malware originating in Russia called Hammertoss was recently discovered that also uses cloud-based attacks.

The malware uses Twitter, GitHub and cloud storage systems to relay commands and extract data from compromised networks.