If your business uses file syncing services such as Google Drive, Dropbox, OneDrive, and Box your data could be at risk, according to a study just released in August, by Imperva, a company that does security research. According to Imperva, there is a new cyber-attack called “man-in-the-cloud” or MITC. With this attack, hackers can gain access to data stored on major file syncing services, such as the ones mentioned above, without compromising login and password information. Currently, the MITC hack is almost impossible to detect, and once it happens the only remedy may be to close the account.
File Syncing and Sharing (FSS)
Dropbox, Box, Microsoft OneDrive, and Google Drive are designed to allow a user to seamlessly have their files sync across multiple devices. They can also share files with others and allow others to see or modify their files. The idea is that to remove the need for a traditional file server and to allow sharing of the data in an easily accessible format outside of the corporate boundaries without using things like VPN.
How the MITC Attack Works
To use these cloud-based FSS programs you provide a username and a password and then download and install a syncing program/app on your device. In order to prevent you from having to enter your password all the time, the companies store a token on your device that is tied to your account. This token tells the service that your computer is ok to access the information and ok to sync.
The Imperva paper examined the four most common FSS programs: Google Drive, Microsoft OneDrive, Box, and Dropbox. For these four FSS programs, the tokens were not dependent on the device. This means that you could take the token from one machine and have it work on another machine. The attacks are categorized as follows: Single and Double Switch.
Single Switch Attack
The single switch attack is where an attacker switches the victim’s token with their own token. This can be accomplished either via a vulnerability in the operating system or social engineering/phishing. After the switch, the victim’s files sync to the attacker’s account and the attacker can see or modify/replace any of them. Once the attacker has access in this manner, they will generally be able to run some code on the victim’s computer that will give them complete control of it and can use it for further intrusion into the network or anything else they desire.
This attack is detectable if you look in the application settings at what account your device is syncing to. It can be stopped by signing out of the application and back in, assuming the attacker has not planted malware to prevent signing out or to re-enable the switch later.
Double Switch Attack
The double switch attack is where the attacker steals the victim’s token and puts it on their own system. To accomplish this, an attacker first switches the victim’s token with their own token, just like in the single switch attack. Then the attackers put the victim’s token into the sync folder so that they can access it. Now that they have the victim’s token they can use it on their system and even switch the original token back on the victim’s system so it looks like nothing happened. As with the single switch, basically they have complete control over the victim’s computer, and likely any computer that shares any of the synced folders with the victim’s account.
Double switch attacks are much harder to detect and to stop than the single switch.
At the time of the publication of the paper, none of the four FSS programs notified the users when a new computer synchronized without entering a password, even though they all logged it in some way. Additionally, since no signing in occurred during the attack, none of the two-factor authentication or other normal notifications or safeguards were triggered. It was actually easier for an attacker to perpetrate this attack than compromise the usernames and passwords!
It Gets Worse
Now that we know how this happens, comes the really bad news. Attacks like this are already happening. On top of that, if done properly, this attack is currently almost impossible to detect and stop. This is a new attack type. As such, the security companies are still developing responses. Your anti-virus is virtually guaranteed to not detect this at all. Right now, we are not aware of any viable countermeasures that are likely to fit into the budget of a small or medium business.
As mentioned, not only can the attacker steal the data in the victim’s sync folder, but they can also infect that computer with malware and use it for other things. In large corporations, an attacker could use this as an entrance point to look for the enterprise data that may be valuable.
However, just because you aren’t a big business doesn’t mean you won’t be a victim. This attack is also likely to become a way to infect computers with ransomware, which we discussed here.
One further note about Dropbox: Dropbox continues to be in last place as far as security is concerned. If you fall victim to the MITC attack and use Dropbox, the attacker can actually use the information they retrieve to “log in” to the website and manage your account, including erasing their audit trails, making it almost impossible to detect the attack. None of the other three FSS programs had this particular security flaw.
What Do You Do If This Happens To You?
The good news is that the FSS companies are developing ways to stop the attack from continuing once you have detected it. To do this right now you need to log into your account, change your password and deactivate all the devices that are connected to your account. If you use Dropbox you might need to contact Dropbox and/or delete your account. Beware: just because you stop one attack doesn’t mean it won’t happen again. Exercise caution and review the application settings and logs regularly.
How Can I Prevent This From Happening To Me?
Rest assured that FSS companies are working on a way to prevent this from happening or at least limit the damage if it does happen. However, until a solution is ready, the only way to make sure this doesn’t happen to you is to not use these programs.
Just because the paper only studied the four major vendors, it does not mean that other vendors aren’t vulnerable as well. Assuming you aren’t going to stop using a FSS program, then you need to be cautious and judicious. Most of these attacks are started via social engineering or phishing and rely upon YOU to take the first step and click on the first program or link. To paraphrase Smoky the Bear: Only You Can Prevent a Computer Virus.