Imperva Hacker Intelligence Initiative uncovers new “Man In the Cloud” attacks that use popular file synchronization services

imperva 112Imperva, Inc., committed to protecting business-critical data and applications in the cloud and on-premises, unveiled on August 5 in Las Vegas, NV its August Hacker Intelligence Initiative Report (HII Report) at Black Hat USA 2015: “Man in the Cloud Attacks.” This new report uncovers how a new type of attack, “Man in the Cloud” (MITC), can quietly coopt common file synchronization services, such as Google Drive and Dropbox, to turn them into devastating attack tools not easily detected by common security measures. The report notes that this next-generation attack does not require compromising the user’s cloud account username or password.

“Our research has revealed just how easy it is for cyber criminals to coopt cloud synchronization accounts, and how difficult it is to detect and recover from this new kind of attack,” said Amichai Shulman, CTO of Imperva. “Since we have found evidence of MITC in the wild, organizations who rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as man in the cloud attacks use the in-place Enterprise File Synch and Share (EFSS) infrastructure for C&C and exfiltration.”

With the increased usage of mobile devices, tablets, VPNs, remote desktop access and SaaS applications, data is moving to the cloud and expanding beyond traditionally-defined corporate boundaries. File synchronization services are a good example of this move to the cloud on both the individual and business level. The use of Box, Dropbox, Google Drive, and Microsoft OneDrive in the workplace highlights the importance of the results of this study.

Organizations should consider protecting themselves from MITC attacks with a two-phased approach. First, organizations should use a cloud access security broker (CASB) solution that monitors access and usage of its enterprise cloud services. Second, organizations should deploy controls such as data activity monitoring (DAM) and file activity monitoring (FAM) solutions around business data resources to identify abnormal and abusive access to business critical data.

Key findings from the report include: 


  • Cloud synchronization services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, can be easily coopted and turned into an infrastructure for end point compromise, providing a channel for C&C, data exfiltration and remote access.
  • Attacks based on the above architecture have been witnessed in the wild.
  • End point and perimeter security measures are insufficient at detecting and mitigating this threat as no malicious code persists on the end point and no abnormal outbound traffic channels are observed on the wire.
  • Organizations must invest more effort in monitoring and protecting their business critical enterprise data resources both in the cloud and on-premises.
  • By detecting abusive access patterns to such resources, enterprises can protect against this next generation of breaches.

The Imperva Application Defense Center (ADC) is a premier research organization for security analysis, vulnerability discovery, and compliance expertise. ADC research combines extensive lab work with hands-on testing in real world environments to enhance Imperva products, through advanced data security technology, with the goal of delivering up-to-date threat protection and unparalleled compliance automation. The team regularly conducts research on the evolving threat landscape, including the HII report and the Web Application Attack report. A full version of the August HII report is available at

Source: Imperva Inc.