Beware! The latest news of cyber security industry is more than disturbing. According to Imperva Hacker Intelligence Initiative report – a well known cyber security company – cybercriminals may now easily get access to all users’ files in cloud services such as Google Drive, Microsoft OneDrive, Dropbox, and Box, if they are able to get into the computer, on which the clients of these services are installed. Moreover, the cyber criminals won’t need the logins and passwords to access data in the users’ accounts.
Table of Contents
How the malware might be introduced?
The experts have found out that all of the specified services provide a constant access of the client-side applications to the servers with the help of security tokens, which are generated during the initial authentication. These tokens are stored on the device in a file, in the Windows registry or in the Windows Credential Manager (depending on a type of application). The analysts have developed a tool Switcher for simulation of the attack, which is able to execute on victim’s computer (for example, disguised as an e-mail or through a leak in browser security etc). After getting on the computer, Switcher replaces the token with its own, connected to the criminal’s account prepared earlier and uses it to access an account of a particular cloud service. Then Switcher re-initializes the client-side application of the appropriated cloud service and proceeds to using a changed token. As a result the data from the victim’s devices is synchronized with the cloud account of the hacker. The token provided to the Switcher is extracted from the victim’s machine and sent to attacker. In some cases the attacker can use this token for access to victim’s cloud account. So the attacker not only gets the files of the victim during the attack but can also use the token for further access to the victim’s account from his own computer.
The extent of the threat
Researchers say that this vulnerability leave the door wide open for cyber criminals. For example, through automatic synchronization with the account, the criminal can put a certain malicious executable onto the victim’s device. After running this file a hacker can have unlimited access to the victim’s device even if Switcher is deleted from it. In other case a hacker can encrypt personal data, which the user stocks in the cloud, through automatic synchronization substitute the encrypted data on victim’s computer and later extort money for decoding it. This method is engaged by Ransomware programs that are becoming more and more popular nowadays.
The anti-viruses software is powerless
According to the Imperva experts, a cyber security company, such programs as Switcher are difficult to detect because they conduct no suspicious activity. After initial authentication, no explicit credentials are needed (or stored) by cyber criminals application in order to access the user’s account. Another weakness is that the same synchronization token can be used from different machines. Therefore, an attacker can get access to the victim’s account by stealing a token and does not need to compromise the victim’s password. Besides, Switcher can perform all preparations from random-access memory without saving anything on the hard drive. Firewalls are also unable to protect against such type of attack as network sessions will let in legitimate encoded traffic from trustworthy sources.
Complicated recovery
Unfortunately, to renew the secure access to the cloud storage after a cyber attack with the help of Switcher or similar software can be very problematic. The thing is that in many cases the change of password to your service account doesn’t lead to generation of a new token. That is why the most reliable option would be to delete an account all together and to create a new one. On top of it all, most of the cloud service providers do not inform customers about the fact that their accounts were accessed from a different location.
Want to Protect your Google Drive and DropBox accounts? Backup is the solution!
The only solution for data loss prevention is the Cloud-to-Cloud Backup which provides a daily automated backup of your critical data to an independent secure storage.
Spinbackup has two key advantages. Firstly, it generates a token of its own that is not synchronized with the token on your PC and the token is securely encrypted and kept on the Spinbackup servers. Secondly, if you faced the accidental or compulsory deletion your cloud account all together, you will be able to quickly recover all your files from the copy in your Spinbackup account with a click. Keep calm, back up all your data in the cloud using Cloud-to-Cloud Backup services from Spinbackup and don’t give a single chance to cyber-criminals!
