lolloj - Fotolia

BlackHat 2015: Firms must switch focus to data security, says Imperva

Without using any exploits, hackers can turn synchronisation services such as Dropbox, GoogleDrive and Box into a devastating attack tool, warns Imperva

Cyber attackers could use common file synchronisation services such as GoogleDrive and Dropbox for command and control, data exfiltration and remote access, security firm Imperva has revealed.

The security firm detailed this emerging threat, dubbed man-in-the-cloud (MITC) attacks, in a report unveiled at the BlackHat USA 2015 security conference in Las Vegas.

This kind of attack is yet another reason why businesses need to switch focus from endpoint and perimeter security to data monitoring and data security, said Amichai Shulman, chief technology officer at Imperva.

“Although this is changing, it is not changing fast enough and not enough companies are investing in data monitoring and data security capabilities,” he told Computer Weekly.

Imperva researchers have demonstrated how, without using any exploits, a simple reconfiguration of synchronisation services can turn services such as OneDrive, Dropbox, GoogleDrive and Box into a devastating attack tool that is not easily detected by common endpoint and perimeter security measures.

File synchronisation services make sure data is accessible to multiple users and devices, sometimes across different countries and even organisations. Many enterprises nowadays are adopting one of these services as a tool for business data synchronisation on employee devices.

But because MITC attacks do not require any malicious code or exploit to be used in the initial “infection” stage, researchers say this type of attack is difficult to avoid.

The use of well-known synchronisation protocols also makes it extremely difficult, if not impossible, to distinguish between malicious traffic and normal traffic. Even if a compromise is suspected, the discovery and analysis of evidence will not be easy, the researchers said, because there is very little left behind on the endpoint.

In a typical MITC attack, the attacker would get access to the victim’s account without compromising the victim’s user name or password. Instead, attackers could access the victim’s account and make the endpoint synchronise with an attacker-controlled account by manipulating the synchronisation token that is stored on the endpoint and used to authenticate to the cloud without using an account name and password.

“By simply copying a token for an account into the right place in the end station, we were able to make the synchronisation application switch to the account represented by the token,” the researchers said in the report.

They built a software tool called the Switcher that takes as input a synchronisation token and puts it into the right place on the victim’s end station to make it synchronise with the account represented by the token.

“The token we provide to the Switcher is extracted from the attacker’s machine and represents an account created and controlled by the attacker. Before making the actual switch, the Switcher stores the original token from the victim’s machine to a file. This file is copied by the Switcher to the sync folder immediately after the switch, so that the original token is synchronised to the attacker-controlled account,” they said.

The report shows that not only is this type of compromise very hard to detect, but recovery of the account from this type of compromise is not always possible, which means compromised accounts have to be closed and new ones opened.

According to the report, the MITC compromise enables the attacker to share the victim’s file synchronisation account, which means the attacker can then access any file that is synchronised by the victim and infect any of these files with malicious code at will.

Imperva also detailed a potential attack that enables an attacker to keep a remote access to the victim, which allows the attacker to interact with the victim’s machine from time to time, execute arbitrary code, and collect that code’s output.

Because most organisations either allow their employees to use these services, or even rely on these services as part of their business toolbox, Imperva’s researchers predict that MITC attacks will become prevalent in the wild.

“As a consequence, we encourage enterprises to shift the focus of their security effort from preventing infections and endpoint protection to securing their business data and applications at the source,” said Shulman.

“Many organisations still do not understand the real threat and think they can avoid the initial compromise, and that this is where they should put all their efforts and investments. As a result, there is still a bias in favour of endpoint and perimeter security.”

Shulman said this must change, even though it may be difficult because of existing investments in perimeter and endpoint security. “The challenge many organisations face is finding ways of shifting budget away from these heavily-entrenched areas,” he said.

Another important take-away from this report, said Shulman, is that organisations using any cloud-based applications – which is inevitable because it is good for business – need to put their own controls around cloud services and not rely on cloud service providers to do the security for them.

“While this report demonstrates the abuse of cloud synchronisation services, there could be similar abuses of other cloud-based services such as customer relationship management (CRM), enterprise resource management (ERP) and others, which means there is need for additional controls through cloud access security brokers (CASBs), for example,” he said.

According to the report, only by detecting abusive access patterns to cloud-based resources can enterprises protect against this next generation of breaches.

CASBs typically monitor access and usage of enterprise cloud services by the enterprise users, enabling organisations to detect anomalies in the way an account for a file synchronisation service is used and accessed. “The better CASBs are those that are deployed virtually inline, making mitigation easier by blocking access of unrecognised devices to the data,” said Shulman.

He also recommended that organisations deploy controls such as database activity monitoring (DAM) and file activity monitoring (FAM) around their business data resources, rather than concentrate all their efforts on finding specific malware.

“If an organisation wants to ensure that a security compromise does not develop into a data breach, it needs to monitor data access closely to be able detect abuses and abnormal access patterns and to shut down access quickly when necessary,” said Shulman.

Underlining the need for organisations to take action, the researchers revealed that while they were testing their concepts in the lab, evidence emerged that similar attacks are already being used in the wild as mentioned in “The Inception Framework” analysis by Blue Coat.

Shulman added: “While we have not seen in the wild exactly the same technique we have described in which everything is done through the file synchronisation service, FireEye recently announced it had come across a botnet operation using Twitter as its command-and-control channel and a file synchronisation service as its data exfiltration channel, and we are seeing enough evidence in the wild that attackers understand the potential and are starting to make use of this type of infrastructure in the cloud.”

Read more on Hackers and cybercrime prevention