Attackers use Google Drive, Dropbox to breach companies

A new type of attack, “Man in the Cloud” (MITC), can quietly coopt common file synchronization services, such as Google Drive and Dropbox, to turn them into devastating attack tools, Imperva has revealed in a report released today at Black Hat USA 2015.

This next-generation attack does not require compromising the user’s cloud account username or password, and could be a very effective way of delivering malware.

“MITC does not require any particular malicious code or exploit to be used in the initial ‘infection’ stage, thus making it very difficult to avoid. Furthermore, the use of well-known synchronization protocols make it extremely difficult (if not impossible) to distinguish malicious traffic from normal traffic. Even if a compromise is suspected, the discovery and analysis of evidence will not be easy, as little indication of the compromise is left behind on the endpoint,” the company explained.

An additional unwelcome result of such an attack is that it might be very difficult and often impossible for the companies to recover the compromised account, so they would have to create a new one.

The report details several types of MITC attacks executed with the help of a PoC Switcher tool:

  • The Quick Double Switch attack allows the attacker to share the victim’s file synchronization account, to have access to the files in it and to infect them with malicious code.
  • The Persistent Double Switch is similar to the previous one, but it also allows the attacker to maintain remote access to the victim
  • The Single Switch (Quick or Persistent) allow the attacker to access the victim’s data, machine, and to execute malicious code on the latter.

“Since most organizations either allow their users to use file synchronization services, or even rely on these services as part of their business toolbox, we think that MITC attacks will become prevalent in the wild,” the researchers concluded.

“As a result, we encourage enterprises to shift the focus of their security effort from preventing infections and endpoint protection to securing their business data and applications at the source.”

“Since we have found evidence of MITC in the wild, organizations who rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as man in the cloud attacks use the in-place Enterprise File Synch and Share (EFSS) infrastructure for C&C and exfiltration,” said Amichai Shulman, CTO of Imperva.