Steal Data from cloud storage service using "Man in the cloud attack"

As you all are aware of popular cloud service such as Google drive,one drive,Dropbox etc...All such service are use by indivisual and organization to share and make available the data on multiple device.As per researchers,This cloud service can be hacked by man-in-the cloud attack. 

As per the Imperva hackers intelligence report,this vulnerability allow hacker to gain remote access,endpoint hacking,and sync data from cloud.The worst part is attackers don't even need credential to gain access to their file synchronization accounts.
The cloud service don't ask user to enter the account credential each time for sync data in device.Cloud service generate the token in device for synchronizing the data.So,Token is use to establish the connection between device and cloud.Token is encrypted on the device but token can be easily accessed and decrypted by the attacker.Malicious actors design a tool to get the access token and can synchronize their own devices with the victim’s account simply by implementing this token to the right place on their own system.

Imperva researchers have developed a tool which will manipulate synchronization tokens to take over the victim’s account and implicitly their information. The tool are often delivered to the victim via phishing or drive-by transfer attacks.Once attackers have access to victim account,can not only sync the file of sync folder but also manipulate the files.Attacker can also setup backdoor to maintain access to system.

MITC attack,difficult to detect as it does not left the malicious code running in the victim system,and data send and receive throught the encrypted channel."In practice, some cloud service does not revoke the sync token even if the user change the password of account."Once,if attacker gain access to sync token,attacker can access the files of victim lifetime.Furthermore, even though the attack is detected, the victim may need to cancel the hacked account to stay hackers out.

It appears to be an increasing trend within the use of legitimate services by threat actors. Last month, FireEye printed a report on HAMMERTOSS, a malicious backdoor leveraged by the Russian cluster called APT29. HAMMERTOSS attacks involve the steal data,utilization of Twitter and GitHub for C&C communications, and cloud storage services for information exfiltration.

Post a Comment