How to counter ‘man in the cloud’ attacks

By David Shephard, Bitglass Australia

The rise of the cloud in the enterprise stems from its ability to enable anytime, anywhere data access, which increases employee productivity and flexibility. However, these new benefits come with a different set of potential threats.

Organisations need to protect themselves against new versions of cyber attacks that take advantage of the growing popularity of cloud computing.

One example of a malicious tactic that has emerged is known as a ‘man in the cloud’ (MitC) attack. These attacks aim to access victims’ accounts without needing to obtain their credentials.

What  is MitC?

To gain access to cloud accounts, MitC attacks take advantage of the OAuth synchronisation token system used by cloud applications. Most popular cloud services – Dropbox, Microsoft OneDrive, Google Drive, and more – each save one of these tokens on a user’s device after initial authentication is completed.

This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token. However, the anytime, anywhere nature of cloud services means that the same token can grant access from any device.

As such, attackers who can access and copy a token can infiltrate the victim’s cloud accounts remotely – in a manner that appears genuine and bypasses security measures.  

According to Minerva, the research team that discovered MitC attacks, the easiest way to get access to a token is through social engineering. This involves tricking the victim into running purpose-built malware tools, such as Switcher, which are usually distributed via email.

Once executed on the victim’s device, this malware installs a new token (belonging to a new account that the attacker created) and moves the victim’s real token into a cloud sync folder. When the victim’s device syncs via the new token belonging to the attacker, it sends the victim’s data to the attacker’s account instead of to the user’s real account.

In addition to the above, the original account token is revealed to the attacker and malware like Switcher can copy it back to the victim’s machine, erasing the malicious one in the process. This removes all traces of the security breach and leaves the attacker with full access to the victim’s account – on any device.

How to protect against MitC attacks

The nature of a MitC attack makes it very difficult to prevent with conventional security measures such as endpoint and perimeter protection. However, organisations can take several steps to minimise (or even eliminate) the chance of becoming a MitC victim.

1. Conduct regular security training

One of the simplest security measures is also one of the most effective, because MitC attacks rely on social engineering to be successful. Fortunately, a well-trained, vigilant employee is far less likely to click on the malicious links or attachments that are generally found in phishing emails.  

Security conscious organisations should conduct regular trainings with all their employees in order to keep security top of mind and ensure that employees know the signs of a potential attack.

2. Use encryption to protect cloud data

While encryption cannot prevent a MitC attack from occurring, it can prevent the plaintext data breaches that may result. Provided the encryption keys are not also stored within the targeted cloud service, any data accessed through a MitC attack would remain encrypted to the attacker. This means that the stolen information would be indecipherable and unusable to the malicious party.

3. Enable multi-factor authentication

Multi-factor authentication (MFA), is another simple but effective way to help minimise the threat of MitC attacks. Through MFA, users are authenticated beyond a mere password; for example, their identities are also verified via an SMS token sent to their phone.

MFA is available with leading cloud services as well as from specialised security solutions built to verify users’ identities across all of an organisation’s cloud-based resources. MFA adds an extra layer of security that can easily thwart a MitC attacker who doesn’t have the ability to authenticate beyond an OAuth token.

4. Invest in a cloud access security broker (CASB)

One of the most comprehensive ways to protect against threats like MitC attacks is through deployment of a cloud access security broker (CASB). A CASB will intermediate all traffic between an organisation’s cloud apps and endpoint devices – automatically replacing each app's OAuth tokens with encrypted tokens before delivering them to their endpoints. This creates a built-in defence against MitC attacks.

As a device attempts to access a cloud app, a user’s unique, encrypted token is presented to the CASB, which decrypts it and passes it along it to the app. Consequently, if a user’s encrypted token were to be replaced with a hacker’s, the malicious token would fail validation and decryption at the CASB, denying access to the intended victim’s account and nullifying the attack.

MitC attacks exploit the anytime, anywhere data access provided by the cloud and are designed to give hackers unauthorised access to sensitive information.

Although detecting these threats with conventional security tools is virtually impossible, organisations are not defenceless. Regular employee training, combined with security measures like encryption, two-factor authentication and CASBs, can provide an extremely robust defence against MitC attacks and countless other threats.

Any organisation that fails to remain prepared will inevitably suffer a data breach.