Beware the man in the cloud: How to protect against a new breed of cyberattack
One malicious tactic that has become quite prevalent in recent years is known as a ‘man in the cloud’ (MitC) attack. This attack aims to access victims’ accounts without the need to obtain compromised user credentials beforehand. Below, this article explains the anatomy of MitC attacks and offers practical advice about what can be done to defend against them.
What is MitC attack?
To gain access to cloud accounts, MitC attacks take advantage of the OAuth synchronisation token system used by cloud applications. The majority of popular cloud services – Dropbox, Microsoft OneDrive, Google Drive, and more – each save one of these tokens on a user’s device after initial authentication is completed. This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token.
However, the anytime, anywhere nature of cloud services means that the same token can grant access from any device. As such, if an attacker can access and copy a token, she or he can infiltrate the victim’s cloud remotely – in a manner that appears genuine and bypasses security measures.
According to Minerva, the research team that first discovered MitC attacks, the easiest way to get access to a token is through social engineering. This involves tricking the victim into running purpose-built malware tools, such as Switcher, that are usually distributed via email.
Once executed on the victim’s device, this malware installs a new token (belonging to a new account that the attacker created) and moves the victim’s real token into a cloud sync folder. Then, when the victim’s device next syncs, it syncs the victim’s data to the attacker’s account instead of the victim’s. In addition, the original account token is revealed to the attacker. At that point, the Switcher can be used to copy the original account token back to the victim’s machine and erase the malicious one, removing all traces of the security breach and leaving the attacker with full access to the victim’s account on any device.
How to protect against MitC attacks
The nature of the MitC attack makes it very difficult to prevent with conventional security measures such as endpoint and perimeter protection. However, there are several steps that organisations can take to significantly minimise (or even eliminate) the chance of becoming a MitC victim.
1. Conduct regular security training – One of the most effective security measures is also one of the simplest. As mentioned above, MitC attacks rely on social engineering to be successful. Fortunately, a well-trained, vigilant employee is far less likely to click on a malicious link or a suspect attachment inside of a phishing email. Security-conscious organisations should conduct regular trainings with all of their employees in order to keep security top of mind and ensure that they know the tell-tale signs of an attempted attack.
2. Use encryption to protect cloud data – While encryption cannot prevent an MitC attack from occurring, it can prevent the data breaches that may take place as a result. Provided the encryption keys are not also stored within the targeted cloud service, any data accessed through an MitC attack would remain encrypted to the attacker. This means that the stolen information would be indecipherable and unusable to the malicious party.
3. Enable two-factor authentication – Multi-factor authentication (MFA), is another simple but effective way to help minimise the threat of MitC attacks. This authentication capability is available with leading cloud services (Office 365) as well as from specialized security solutions built to verify users’ identities across all of an organisation’s cloud-based resources. MFA adds an extra layer of security that can easily thwart an MitC attacker who doesn’t have the ability to authenticate beyond an OAuth token.
4. Invest in a cloud access security broker (CASB) – One of the most comprehensive ways to protect against threats like MitC attacks is through the deployment of a CASB. CASBs intermediate all traffic between an organisation’s cloud apps and endpoint devices – they automatically replace each app’s OAuth tokens with encrypted tokens before delivering them to endpoints. As a device attempts to access a cloud app, the unique, encrypted token is presented to the CASB, which decrypts it and passes it along it to the app. Consequently, if a user’s token were to be replaced with a hacker’s, then the malicious token would fail validation and decryption at the proxy, denying access to the intended victim’s account and nullifying the attack.
The popularity of the cloud continues to rise at an unprecedented rate; however, like with so many new technologies, this growing popularity comes with new risks. MitC attacks exploit the anytime, anywhere data access provided by the cloud and are designed to give hackers unauthorised access to sensitive information. While detecting these threats with conventional security tools is virtually impossible, that doesn’t mean that organisations are defenceless.
Regular employee trainings, when combined with security measures like encryption, two-factor authentication, and CASBs, can provide an extremely robust defence against MitC attacks and countless other threats. In the modern business world, effective security isn’t a luxury – it’s a necessity. Any organisation that fails to remain prepared will inevitably suffer a breach.