Man in the Cloud Attack Leverages SaaS Vulnerability
Attackers could use SaaS service synchronization to steal your enterprise data.
Software-as-a-service (SaaS) applications that enable cloud data synchronization, including programs like Google Drive and Dropbox, are among the most popular uses of the cloud for enterprises. Unfortunately, according to Amichai Schulman, CTO of Imperva, a new potential type of attack he has dubbed "man in the cloud" could enable attackers to use cloud synchronization to exploit organizations.
Shulman, who is discussing the man in the cloud attack at this week's Black Hat USA conference, told eSecurityPlanet that such attacks would leave no trace and once in place would make it difficult to eradicate an attacker.
The man in the cloud term is a play on the classic man in the middle Web attack, in which a hacker places him/herself in between the victim and a server. The man in the middle then intercepts the traffic and does whatever he/she wants with it.
How Man in the Cloud Attack Works
With man in the cloud, Shulman said an attacker takes control of a victim's cloud synchronization key. As such, it's not an attack on the user's password, but rather on the application token that the SaaS platform places on an end-user device to enable a persistent connection that keeps device data in sync.
"Tokens are more vulnerable than passwords," Shulman said.
Once attackers gain control of the user token, they are free to perform manipulations that could result in data loss or an outright breach. When users log into SaaS services they get an access token that is stored in the end-users' registry or in a configuration file; it shows the token to the service each time. The token is persistent and, because it's being used by the application, it cannot change frequently.
Thus if a user turns off the computer and then turns it on again, the local sync agent starts up and doesn't ask for the user password again as it already has a valid token, Shulman explained.
What's more, if a user SaaS token is somehow compromised, it is difficult for an organization to invalidate the token.
"It's not a vulnerability; it's just how things work," Shulman said. "It won't change unless users are willing to give up the usability of being able to stay connected to cloud sync services."
Focus on Data Security
Cloud access broker technology, which is provided by multiple vendors including Imperva and competitors like Adallom, can provide a solution to the challenge, Shulman said. A cloud access broker offers more visibility into the access, which can help detect potential abuse.
More important, Shulman said it's important to understand what attackers are after - namely data. Organizations can minimize risk by focusing on data security.
"You should focus on making sure whoever is accessing the data stores is not abusing the access," he said.