CYBER SECURITY OUTFIT Imperva has revealed a new type of attack called 'man-in-the-cloud' (MITC) that allows hackers to access cloud storage services without the need for a password.
The research was unveiled at the Black Hat security conference in Las Vegas, and shows how the attack enables hackers to hijack users of cloud-based storage services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, without their knowledge.
Imperva said that the hacker gains authentication to the cloud service by stealing a token that is generated the first time a cloud syncing service is used on a PC, without compromising the user's cloud account username or password.
From here, an attacker can access and steal a user's files, and even add malware or ransomware to the victim's cloud folder.
Imperva said in some cases "recovery of the account from this type of compromise is not always feasible".
Amichai Shulman, CTO of Imperva, said that, as well as having consumers on their toes, this type of attack should have businesses that rely on cloud-based services worried.
"Our research has revealed just how easy it is for cyber criminals to co-opt cloud synchronisation accounts, and how difficult it is to detect and recover from this new kind of attack," he said.
"Since we have found evidence of MITC in the wild, organisations that rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as MITC attacks use the in-place Enterprise File Synch and Share infrastructure for C&C and exfiltration."
To protect from such attacks, Imperva said that firms should invest more effort in monitoring and protecting business critical enterprise data resources in the cloud and on-premise.
Companies should use a cloud access security broker solution that monitors access and use of enterprise cloud services, and deploy controls such as data activity monitoring and file activity monitoring solutions around business data resources to identify abnormal and abusive access to business critical data. µ
American as Apple Spy
And Stocks gets an update! Happy days!
There's no 'i' in Microsoft Teams. Except the one
No end to end-to-end. End of