Problem solve Get help with specific problems with your technologies, process and projects.

Protect cloud file sharing from a man-in-the-cloud attack

Man-in-the-cloud attacks on file sharing services can lead to confidential data leakage. Expert Rob Shapland explains how to mitigate the threat.

The Black Hat conference in Las Vegas is always a good place to hear about some of the latest and greatest security...

threats, and now that the show is over, we can begin to examine the real-world impact from some of the vulnerabilities that were presented.

One key presentation enterprises should be aware of directly affects a number of cloud file sharing services, such as Dropbox, Box, Google and Microsoft OneDrive.

Dubbed "man in the cloud" by Imperva researchers, the vulnerability exploits cloud applications' use of synchronization tokens. When setting up cloud services on a device, users are given the option of setting up sync folders. These are folders on the device that will automatically synchronize with the central cloud server; so any files placed on either the local device or the cloud service will be synced to all devices that are configured with sync folders. In order for the synchronization process to happen seamlessly and automatically (i.e., without entering a username and password every time), cloud services use tokens unique to that user.

The problem the man-in-the-cloud attack exploits is that these tokens are not tied to a specific device; therefore if a hacker can acquire another user's synchronization token, they can gain access to that user's files without detection and without ever knowing the username and password.

The attack happens in a few stages. First, the attacker needs to be able to trick the victim into opening a malicious file; this is usually achieved by an email phishing attack. Once the file has been run, it will automatically switch out the victim's synchronization token with the attacker's. This means that whenever the sync folder is updated, it will also send all the data to the attacker's device. The malicious file also copies the victim's synchronization token to the sync folder, thereby automatically copying it to the attacker's device. Now that the attacker has the victim's token, it will be possible to configure one of their own devices to the folder in order to receive the victim's files. The token on the victim device is then switched back to its original state.

As the perimeter of organizations' networks becomes less defined and the cloud relied on more, it becomes increasingly difficult to detect and prevent this type of attack.

At this point, the victim is none the wiser that another device has been added to their account and doesn't realize that any files they put in the sync folder will be copied to the attacker's device. It is important to note that this also works vice versa; the attacker can place items in the sync folder and have them propagate to all the other synced devices, allowing them to copy whatever malicious files they choose to the victim's machine.

The potential impact of this is very serious, especially if an organization is using cloud file sharing services to back up confidential data. An attacker could use the attack to access this information and it would be extremely difficult to detect. It should be noted, though, that there is still an initial stage of compromise -- where an attacker must trick an employee into opening a malicious file -- in order to access the synchronization token.

As the perimeter of organizations' networks becomes less defined and the cloud is relied on more, it becomes increasingly difficult to detect and prevent this type of attack. The simple solution to the issue is to be very careful how cloud file sharing services are used and clearly define what is permitted to be stored in the cloud. Enterprises could avoid a man-in-the-cloud attack altogether by not enabling sync folders. The attack can also be stopped at its initial infection point by ensuring staff is educated to not open file attachments or visit suspicious links. There are also control systems that can help too, for example, cloud access security broker services that monitor cloud usage.

In summary, this attack can be considered to a highly effective way of gaining access to an organization's cloud resources. It proves why organizations must carefully consider any cloud functionality allowed on their network, including those automatically enabled in products such as Microsoft Office. All cloud access should be tightly controlled.

About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. Shapland is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.

Next Steps

Learn more about secure enterprise file sharing  and data encryption in the cloud

Uncover what to look for in cloud storage and file-sharing services

This was last published in October 2015

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your enterprise use file sharing services? Are you concerned by man-in-the-cloud attacks?
Cancel
Great overview of the potential issues. In addition to simply educate users not to open file attachments or visit suspicious links, possibly leveraging structural sanitization to remove the malicious content would be a more effective approach.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close