If Android security vulnerability ‘Stagefright’ wasn’t enough to knock your socks off, here is another one. The Black Hat conference in Las Vegas were informed of a new kind of hacking attack, one that doesn’t even require password to access sensitive data store in the cloud!
It was cyber security firm Imperva who first discovered the loophole in file synchronization that allows a “man-in-the-cloud” (MITC) attack to infiltrate and infect cloud based data without the victim’s notice. Both consumers and businesses are vulnerable to attack as it does not rely on tapping transit data, it actually takes advantage of a security issue in the design of file synchronization services offered by Box, Dropbox, Google Drive and Microsoft OneDrive. Worst of all, according to the report, in some cases, the account cannot be recovered at all.
The attack basically searches out and extracts the password token file on a user’s device (this is used the first time when a cloud service is synced), which is entrenched in the device and cannot by managed by simply changing the password, and once this is found, the hackers enter by a phishing or drive-by exploit attack to fool the device into thinking it is the account owner. This gives the attacker unchecked access to all files and leaves the device open to malware attacks on the cloud folder.
Imperva showed the similarity between their findings and a paper by Blue Coat security firm which also warns of a similar hacking attack. Amichai Schulman, chief technology officer at Imperva said, “Our research has revealed just how easy it is for cyber criminals to co-opt cloud synchronisation accounts, and how difficult it is to detect and recover from this new kind of attack. Since we have found evidence of MITC in the wild, organisations that rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as MITC attacks use the in-place Enterprise File Synch and Share infrastructure for C&C and exfiltration.”
Imperva suggested using a cloud access security broker solution combined with data activity monitoring and file activity monitoring to counter and minimize the risk of such attacks. Dropbox has not yet issued a statement on the warning and neither has Google.