[BreachExchange] Beware the man in the cloud: How to protect against a new breed of cyberattack

[Audrey McNeil]

https://www.helpnetsecurity.com/2019/01/21/mitc-attack/

One malicious tactic that has become quite prevalent in recent years is
known as a ‘man in the cloud’ (MitC) attack. This attack aims to access
victims’ accounts without the need to obtain compromised user credentials
beforehand. Below, this article explains the anatomy of MitC attacks and
offers practical advice about what can be done to defend against them.

What is MitC attack?

To gain access to cloud accounts, MitC attacks take advantage of the OAuth
synchronisation token system used by cloud applications. The majority of
popular cloud services – Dropbox, Microsoft OneDrive, Google Drive, and
more – each save one of these tokens on a user’s device after initial
authentication is completed. This is done to improve usability – users
don’t have to enter their password every time they attempt to access an app
if they have an OAuth token.

However, the anytime, anywhere nature of cloud services means that the same
token can grant access from any device. As such, if an attacker can access
and copy a token, she or he can infiltrate the victim’s cloud remotely – in
a manner that appears genuine and bypasses security measures.

According to Minerva, the research team that first discovered MitC attacks,
the easiest way to get access to a token is through social engineering.
This involves tricking the victim into running purpose-built malware tools,
such as Switcher, that are usually distributed via email.

Once executed on the victim’s device, this malware installs a new token
(belonging to a new account that the attacker created) and moves the
victim’s real token into a cloud sync folder. Then, when the victim’s
device next syncs, it syncs the victim’s data to the attacker’s account
instead of the victim’s. In addition, the original account token is
revealed to the attacker. At that point, the Switcher can be used to copy
the original account token back to the victim’s machine and erase the
malicious one, removing all traces of the security breach and leaving the
attacker with full access to the victim’s account on any device.

How to protect against MitC attacks

The nature of the MitC attack makes it very difficult to prevent with
conventional security measures such as endpoint and perimeter protection.
However, there are several steps that organisations can take to
significantly minimise (or even eliminate) the chance of becoming a MitC
victim.

1. Conduct regular security training – One of the most effective security
measures is also one of the simplest. As mentioned above, MitC attacks rely
on social engineering to be successful. Fortunately, a well-trained,
vigilant employee is far less likely to click on a malicious link or a
suspect attachment inside of a phishing email. Security-conscious
organisations should conduct regular trainings with all of their employees
in order to keep security top of mind and ensure that they know the
tell-tale signs of an attempted attack.

2. Use encryption to protect cloud data – While encryption cannot prevent
an MitC attack from occurring, it can prevent the data breaches that may
take place as a result. Provided the encryption keys are not also stored
within the targeted cloud service, any data accessed through an MitC attack
would remain encrypted to the attacker. This means that the stolen
information would be indecipherable and unusable to the malicious party.

3. Enable two-factor authentication – Multi-factor authentication (MFA), is
another simple but effective way to help minimise the threat of MitC
attacks. This authentication capability is available with leading cloud
services (Office 365) as well as from specialized security solutions built
to verify users’ identities across all of an organisation’s cloud-based
resources. MFA adds an extra layer of security that can easily thwart an
MitC attacker who doesn’t have the ability to authenticate beyond an OAuth
token.

4. Invest in a cloud access security broker (CASB) – One of the most
comprehensive ways to protect against threats like MitC attacks is through
the deployment of a CASB. CASBs intermediate all traffic between an
organisation’s cloud apps and endpoint devices – they automatically replace
each app’s OAuth tokens with encrypted tokens before delivering them to
endpoints. As a device attempts to access a cloud app, the unique,
encrypted token is presented to the CASB, which decrypts it and passes it
along it to the app. Consequently, if a user’s token were to be replaced
with a hacker’s, then the malicious token would fail validation and
decryption at the proxy, denying access to the intended victim’s account
and nullifying the attack.

The popularity of the cloud continues to rise at an unprecedented rate;
however, like with so many new technologies, this growing popularity comes
with new risks. MitC attacks exploit the anytime, anywhere data access
provided by the cloud and are designed to give hackers unauthorised access
to sensitive information. While detecting these threats with conventional
security tools is virtually impossible, that doesn’t mean that
organisations are defenceless.

Regular employee trainings, when combined with security measures like
encryption, two-factor authentication, and CASBs, can provide an extremely
robust defence against MitC attacks and countless other threats. In the
modern business world, effective security isn’t a luxury – it’s a
necessity. Any organisation that fails to remain prepared will inevitably
suffer a breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190122/de8b0242/attachment.html>