File sync services provide covert way to control hacked computers

Researchers highlight the potential use of file synchronization services for stealthy and persistent remote control

Big Data

Big Data

File synchronization services, used to accommodate roaming employees inside organizations, can also be a weak point that attackers could exploit to remain undetected inside compromised networks.

Researchers from security firm Imperva found that attackers could easily hijack user accounts for services from Dropbox, Google Drive, Microsoft OneDrive and Box if they gain limited access to computers where such programs run -- without actually stealing user names and passwords.

Once the accounts are hijacked, attackers could use them to grab the data stored in them, and to remotely control the compromised computers without using any malware programs that could be detected by antivirus and other security products.

The Imperva researchers found that all of the file synchronization applications they looked at provide continued access to users' cloud storage accounts via access tokens that are generated after users log in for the first time. These tokens are stored on users' computers in special files, in the Windows registry or in the Windows Credential Manager, depending on the application.

The researchers developed a simple tool they dubbed Switcher, whose role is to perform what they call a "double switch" attack.

Switcher can be deployed on the system through a malicious email attachment or a drive-by download exploit that takes advantage of a vulnerability in a browser plug-in. If an exploit is used, the program doesn't even have to be written to disk. It can be loaded directly into the computer's memory and doesn't need high-level privileges to execute its routine.

The Switcher first makes a copy of the user's access token for the targeted file synchronization app and replaces it with one that corresponds to an account controlled by the attacker. It then restarts the application so that it synchronizes with the attacker's account.

The previously saved user token is copied to the synchronized folder so that the attacker receives a copy and then the Switcher app restores it back, forcing the app to be linked back to the user's real account -- hence the double switch name.

However, since the attacker now has a copy of the user's access token, he can use the Switcher on his own computer and synchronize it with the user's real account, getting a copy of all of the files stored in it.

The attack can be taken to the next step by having the Switcher create a scheduled task or a Windows Management Instrumentation (WMI) event that would be triggered when a specific file appears in the synchronized folder. That file could be created by the attacker and could contain commands to be executed by the scheduled task.

This mechanism would give the attacker persistent remote access to the computer even after Switcher deletes itself or is removed from memory. After executing a command and saving its output to the synchronized folder, the attacker could delete it, as well as the trigger file in order to cover his tracks.

If the attacker is not looking for stealthiness and persistence, another possible attack scenario would be to encrypt all of the files in the user's account and ask for a ransom to decrypt them -- an approach used successfully in recent years by ransomware programs.

According to Amichai Shulman, the chief technology officer at Imperva, these attacks against file synchronization services would be very hard to detect by antivirus programs, because the Switcher is not performing any unusual activity that could be interpreted as malware behavior.

The program is made up of just ten lines of code that read and write to files and registry keys that other applications also modify, he said. The WMI task that gets left behind is not unusual either because a lot of other applications create WMI tasks for various reasons, he added.

In addition, the Switcher might not even get stored on disk and would remove itself after setting up the conditions for the attack.

Security products operating at the network perimeter wouldn't be able to block the traffic because it's encrypted by default and it's generated by known, legitimate file synchronization applications organizations have approved.

Right now none of the tested services notify users that their accounts have been accessed from a new location, like some websites do. Some of them allow users to view the recent activity for their accounts which could reveal the unauthorized access from an unusual location or IP address, but they don't actually alert users via email when that happens, according to the Imperva researchers.

Even if such a compromise would be detected, recovering from it could be problematic because in some cases the access tokens remain valid even if users change their passwords. The only way to recover in those situations is to actually delete the account and create a new one, the researchers said in a report that will be released Wednesday at the Black Hat security conference in Las Vegas.

Attackers have already shown an interest in abusing trusted cloud services or social media sites, both to exfiltrate data and for command and control. In December, security researchers from Blue Coat reported an attack campaign against military, diplomatic and business targets that used a Swedish file synchronization service called CloudMe for command and control. FireEye recently reported that a Rusian cyberespionage group known as Hammertoss used cloud storage services to exfiltrate data from organizations.

At the BSides security conference this week, also in Las Vegas, software developers Gabriel Butterick, Dakota Nelson and Byron Wasti released a framework that can create an encrypted covert communication channel for malware by using images, audio clips and text messages posted on social media sites like Twitter, SoundCloud and Tumblr.

Maybe some of the cloud storage providers will improve things in the future, but that doesn't change the underlying issue: that whatever is useful for users can also be useful for attackers, Shulman said. Attackers will eventually find a way to compromise endpoint systems, but most of the time their goal will be to use them as launchpads for attacks against the organization's databases and file servers, where the interesting information is stored. Because of that, it's important for companies to monitor and strictly control access to their important data, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags dropboxblack hatdata breachAccess control and authenticationBoxdata protectionmalwareintrusionImpervaGoogleMicrosoftsecurity

More about DropboxFireEyeGoogleImpervaMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place