A New Cloud Threat for 2015: The Man in the Cloud Attack


The ability to share files and access applications across devices and borders has quite literally revolutionized the way employees collaborate. But it’s not all good news. New threats, such as the “Man in the Cloud Attack” (MITC), underscore the difficulties in protecting data stored in the cloud. The problem is that very few companies are defending themselves against this new threat, and most don’t fully understand the implications.

Just a few days ago, the Imperva Application Defense Center (ADC) research arm unveiled its August Hacker Intelligence Initiative Report at Black Hat USA 2015. The report details how an MITC attack can co-opt popular file synchronization services, such as OneDrive, Google Drive, Box and Dropbox, turning them into devastating attack vectors not easily detected by common security measures.

To better inform you about MITC attacks, it’s helpful to answer two key questions.

  1. What is an MITC attack?
  2. How can you protect your company?

1. What is an MITC attack?
MITC attacks are a hacker’s dream come true.

Why? Because at their core, MITC attacks are essentially identity fraud.

Except there’s a catch: the attacker doesn’t actually need user credentials (i.e., their identity).

This style of attack differs from traditional “man-in-the-middle attacks,” which revolved around hijacking data in transit between servers or users. Instead, the attack focuses on “tokens,” small files on a user’s device(s) that contain their authentication.

Online, users generally authenticate themselves by typing in their username and password, at which point, the application transmits an encrypted token. A token is a string of characters that might look something like this — J1A0UubDsasrDFXXOsdf4s — although slightly longer for security.

Because the cloud storage services like Microsoft OneDrive, Google Drive, and Dropbox depend on tokens for authentication, it follows that the hackers will try to get their hands on these tokens in order to gain access to cloud accounts and the data within them.

Once a token is stolen from the victim’s account — through a phishing scheme or a drive-by attack — the hacker inserts the token into their device. When the cloud-file-sharing software starts, it simply assumes that the hacker’s identity is the victim’s.

Generally, hackers are looking for financial information and business secrets, which they later sell on the black-market. However, even if they don’t sell your information, MITC attacks often make an account unrecoverable. In other words, to rid your company of the compromised token, the user’s account must simply be deleted to generate a new token.

In many cases, the cloud storage services are whitelisted by perimeter malware controls. When coupled with an employee utilizing an automatic file synchronization client, the compromised account becomes an ideal approach for bad actors to distribute infected files throughout the organization.

Even more startling, none of the major cloud sharing services have an alert system in place to detect when a token has been stolen.

2. How can you protect your company?
The only way to defend against such attacks is by being vigilant and using security and monitoring software … before it’s too late.

Our suggested solution has two aspects to it – identify the compromise of a cloud file synchronization account, and equally important, identify the abuse of the internal data resource. Our experience suggests attackers are eventually after the enterprise data rather than the information stored at endpoints. Hence, an attack is bound to express itself by the attacker trying to further access on-premise business data in a way that is not typical for normal enterprise users.

Following this two-step strategy will go a long way towards mitigating the risk of MITC attacks. Step 1 involves identifying when a cloud storage account has been compromised. Cloud Access Security Broker (CASB) services, such as Imperva Skyfence, monitor cloud services and protect against account takeovers by detecting abnormal activity within cloud apps. Using a CASB will greatly reduce detection time because of built-in automatic alerts that can be implemented on any activity threshold.

Step 2 involves organizations deploying controls such as Database Activity Monitoring (DAM) and File Activity Monitoring (FAM) around their business data resources, which identify abnormal and abusive access to the data.

To find out how you can start protecting yourself from the Man in the Cloud, simply click here to set up a free consultation with one of Skyfence’s cloud-security experts.