Man in the Cloud attack scenario - Quick Double Switch

Now-a-days, Cloud storage services like Google drive, Drop box etc. are gaining importance because of their cost effective storage mechanisms.The data is shared and made available on multiple devices for application users , as per researchers. This Cloud data can be hacked by Man in the Cloud attack.

With the increased usage of mobile devices, tablets,etc.. The cloud services cannot ask users to log-in each time for data sync across multiple devices. Hence, Cloud services generate the token in the devices after initial authentication and stores it in the registry or in a file for synchronizing the data, same token can be used for different machines or devices that are synchronized by that account by simply copying the token of that account into the right place in the device, this way we were able to make the synchronization application switch to the account represented by the token. Therefore, Attacker's can gain access to victim’s account by simply stealing this token instead of compromising password's.

Researchers have developed a tool called “Switcher” which will manipulate the Sync token to take over the victim's account, The tool takes sync token as input and stores it into the appropriate place on the victim’s device to synchronize with the cloud account represented by the token. The token provided to the switcher tool is extracted from the attacker’s machine and represents an account created or controlled by the attacker.

Quick Double Switch : Here The attacker runs the 'Switcher' in the victim's machine via phishing or drive-by transfer attacks, which enables the attacker to share the victim’s synchronization token. The attacker is then able to access files which are synchronized by the victim and infect these files with malicious code.

How Attack is Executed:

  1. The attacker tricks the victim (using phishing or drive-by transfer attacks) or uses an exploit in order to execute the Switcher in victim's device. The Switcher then place the attacker’s synchronization token into the cloud Application.

  1. When this first switch is complete, the Switcher copies the original synchronization token into the synced folder.

  1. Now the Cloud Application syncs with the attacker’s account.

  1. The attacker is now owning the access to victim’s synced folder intern for synchronization token which is placed in the folder by the tool.

  1. The attacker then uses the stolen victim's synchronization token to connect with the victim’s file synchronization account by using the Switcher tool on the his own machine.

  1. The Switcher tool runs for the second time on the victim’s machine (hence the name “double switch”) restoring the original synchronization token of the victim, essentially restoring the cloud Application to its original state.

Now both Victim's and Attacker's devices run with the same synchronization token giving attacker access to the Victim's synced folder.

This is the “cleanest” form of attack as once the attack is complete, the victim’s cloud application’s state is same as before the attack. Even the Switcher’s code is very simple. It does not interact with the Internet and only modifies some specific files or registry keys. hence, it becomes extremely difficult to identify this code as malicious.

Once the Switcher tool execution is completed, it can be easily removed from the victim's device, leaving no traces of evidence of the compromise.

Authored by Rajesh Rao

Rate this article: 
Average: 2.4 (7 votes)
Article category: