Remote-access Guide

man in the cloud attack remote access

by Gregory Farrell Published 2 years ago Updated 2 years ago
image

What is Man in the Cloud Attack? This MITC attack relies on common document synchronization services like G Drive, Dropbox, OneDrive, etc. Its infrastructure is C&C-based, comprising of remote access and data exfiltration.

Full Answer

What is the man in the cloud attack?

The benefits of these services, such as automated offsite data backups, file sharing, collaboration and system-independent access to the cloud data from anywhere at any time, have not gone unnoticed by malicious entities. Some very inventive attackers have come up with a technique that has since been labeled the “Man in the Cloud Attack” (MITC).

What is The MITC attack?

This MITC attack relies on common document synchronization services like G Drive, Dropbox, OneDrive, etc. Its infrastructure is C&C-based, comprising of remote access and data exfiltration.

Can an attacker exploit vulnerabilities in a cloud service?

Thus, an attacker can exploit vulnerabilities in any one cloud service to gain unauthorized access to data of legitimate users. For instance, the OpenStack cloud platform had more than 150 known weaknesses in its cloud services in 2016. Creating a strong architecture can isolate a user’s operations in the cloud.

What is the cloud hijacking attack?

The attack leverages the “access data from anywhere at any time” characteristic of cloud storage. There are many technical whitepapers on the details of this attack that are very interesting to read.

image

What are some examples of cloud services?

Examples include Sendspace, Zippyshare, ShareBeast, and Rapidgato. According to McAfee, companies on average use 1,083 cloud services and the IT department is not aware of 90% or more of these.

How does MITC work?

How it works. The MITC attack is based on gaining access to a device synchronization token. This token is stored in a file or the registry , on the device. It helps a device sync continuously without requiring a user to enter credentials repeatedly.

What happens if a MITC is detected?

Once a (partial) MITC attack has been detected, the impact has been assessed, and the evidence has been gathered , it needs to be mitigated. As mentioned earlier, a skilled attacker would have undone all system changes and removed all related malware files already. This is not always the case, however. Some attackers do not worry about leaving evidence. Sometimes either the attack or the subsequent clean-up process fails. In any case, the remaining malware related files will need to be removed. It is also advised to close the cloud account and replace it with a new one. This will guarantee the synchronization token will never be used again, simply because the account has been removed. Different providers might have some methods of forcing a ticket to expire, but a successful outcome would be hard to prove because the attacker does not need to access the target system anymore; the ticket has already been copied.

How to prevent social engineering attacks?

The most successful way to prevent the social engineering attack that is likely to precede the MITC attack is a combination of a comprehensive security awareness training and adequate technical controls. For example, if a staff member has just completed the (yearly) security awareness training, he or she is less likely to open the malicious e-mail attachment which will prevent the attacker gaining a foothold within the organization’s network. If the user does open that attachment, a traditional or next-generation Antivirus product should detect and block the malware, without the need for user interaction.

What is a CASB?

A CASB is either deployed inline where it can function as a proxy or via an API where it can monitor traffic to and from a cloud platform. Both options have their advantages, but the main function of the product is to monitor cloud traffic for account anomalies which are for instance generated by an MITC attack.

Who is Frank Siemons?

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University.

Is synchronization a dangerous attack method?

The principle is the same however and considering the importance of the synchronized data (why else would it be selected to be synchronized in the first place), this is a very dangerous attack method.

Why are cloud attacks dangerous?

These attacks are especially dangerous for cloud computing systems, as many users may suffer as the result of flooding even a single cloud server. In case of high workload, cloud systems begin to provide more computational power by involving more virtual machines and service instances.

What are the goals of cyber attacks against cloud computing?

The main goals of cyber attacks against cloud computing are getting access to user data and preventing access to cloud services. Both can cause serious harm to cloud users and shatter confidence in the security of cloud services.

What are the different types of cloud computing?

There are three types of cloud computing services to choose from depending on how much control you need: 1 Software as a Service (SaaS) 2 Platform as a Service (PaaS) 3 Infrastructure as a Service (IaaS)

Why do cloud developers need to take security measures?

Therefore, cloud developers need to take security measures to protect their users’ sensitive data from cyber attacks.

What is side channel attack?

A side channel attack is arranged by hackers when they place a malicious virtual machine on the same host as the target virtual machine. During a side channel attack, hackers target system implementations of cryptographic algorithms. However, this type of threat can be avoided with a secure system design.

How does cloud encryption work?

Though cloud providers use cryptographic algorithms to protect data in storage, they usually use limited sources of entropy (such as the time) to automatically generate random numbers for data encryption. For instance, Linux-based virtual machines generate random keys only from the exact millisecond. This may not be enough for strong data encryption, however, as attackers also use sophisticated decoding mechanisms to hack information. Thus, cloud developers should think about how to secure data before it moves to the cloud.

What is cloud storage?

Cloud users store various types of data in cloud environments, and a lot of that data contains sensitive information about users or business activities. However, this data is susceptible to loss, breach, or damage as the result of human actions, application vulnerabilities, and unforeseen emergencies.

Who is Frank Siemons?

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University.

Why is detection not enough?

Detection alone might not be enough because the cloud synchronizations are often scheduled at short intervals. In a reactive environment, a security team member might not be able to respond in time. It only takes minutes for an attacker to download a few Gigabyte of data from a public cloud platform.

Is cloud adaptation harmful?

It is no surprise that the rapid growth of cloud adaptation has attracted much-unwanted attention from potentially harmful parties . Where a company used to be directly targeted or via a connected partner (via federation or VPN), there is now another attack vector that provides unprecedented levels of access for any attacker able to “pull it off”: attacking the (Cloud) Service Providers. A breach of a Service Provider potentially gives an attacker access to the managed clients as well, hugely increasing the impact and the value of a successful attack. The “Cloud Hopper” report released in April 2017 by PWC and BAE Systems describes the actions undertaken by the APT10 group to achieve such an outcome. Although most of these actions fall into the more traditional attack categories such as spear phishing (but combined and on a much larger scale), it does indicate the shift in focus of attacks towards the Service Providers. Some more specific attacks, directly aimed at the managed cloud infrastructure have been seen over the recent years as well.

image

Man in The Cloud Attack

Detection

  • It is quite difficult to detect a Man in the Cloud attack itself. There is a login process against the cloud service using a different synchronization token (user). Without any further context around this event, the IDS or Proxy logs will at most show that a seemingly legitimate cloud sync occurred. By itself that does not warrant an alarm. A watch...
See more on resources.infosecinstitute.com

Mitigation

  • Once a (partial) MITC attack has been detected, the impact has been assessed, and the evidence has been gathered, it needs to be mitigated. As mentioned earlier, a skilled attacker would have undone all system changes and removed all related malware files already. This is not always the case, however. Some attackers do not worry about leaving evidence. Sometimes either the attac…
See more on resources.infosecinstitute.com

Prevention

  • The most successful way to prevent the social engineering attack that is likely to precede the MITC attack is a combination of a comprehensive security awareness trainingand adequate technical controls. For example, if a staff member has just completed the (yearly) security awareness training, he or she is less likely to open the malicious e-mail attachment which will pr…
See more on resources.infosecinstitute.com

Conclusion

  • The MITC attack presents some new and unique challenges for organizations that take security seriously. Having a solid foundation of traditional security controls will certainly assist in detection and prevention of an MITC attempt. It is advised, however, if the security budget allows for it, to invest in some more specific controls such as the mentioned Cloud Access Security Bro…
See more on resources.infosecinstitute.com

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9