Man in the Cloud Hackers (Protect Your Association)

Today we’ll be describing a lesser known hacking occurrence called “Man in the Cloud” (MITC) hackers. Imperva Application Defense Centre research arm released a report a few weeks ago describing this issue in great detail. Alinity is a cloud-based service, but other cloud services such as Dropbox, GoogleDrive, OneDrive etc. are the targets of the MITC hackers. Instead of focusing on the clouds of individual people, we will be focusing on company clouds. This is where they are generally looking for financial information or business secrets to reveal or sell illegally.

How does the hacker get in?

Many people use clouds that they grant permission to be accessed by many devices (home laptop, work laptop, smart phone, tablet, etc.) and each of these permissions is called a token. Having a token means that the cloud user does not have to type in his or her password to log into the cloud anymore. The problem occurs when a hacker “steals” that token, from whatever device, and gains access to the account, data, or transmits viruses through the device. Since the hacker is using a token, the server will think the hacker is the owner of the account, and the account owner will be unaware of the hack. Unfortunately, changing passwords does not do anything to fix this problem.

One method the hacker uses to get in is through social engineering. This is done by the hacker tricking the victim into handing over his or her password. This is done through phishing.

This type of attack does not change the user’s username and password, so it is difficult to detect. There is even very little to no evidence left behind after a hack. If you notice unusual activity on your account or any devices connected to your cloud, don’t ignore it. This could be a serious problem.

What does the hacker do?

After the hacker steals a token and has access to the cloud, they will “fool” a new device with it, and the hacker attacks by infecting files that are synced between devices. Hackers will exploit common file synchronization services for command and control communications, remote access, data exfiltration and even endpoint hacking by reconfiguring them.

Definitions of above terms:

File Synchronization: ensuring files in multiple locations are all updated. For example, if a file on GoogleDrive was updated on a smart phone, it would become updated in GoogleDrive, then across all devices with a token to GoogleDrive.

Command and control (C&C) communications: This refers to the hacker’s ability to issue commands and controls to the hacked system.

Remote access: The ability to access a computer or network from a distant geographic location and keeping their location anonymous.

Data exfiltration: This refers to the unauthorized transferring of data. This can unfortunately be done maliciously over a network and without physical access (i.e. through the cloud).

Endpoint hacking: An endpoint is the device individuals use to connect to the network, such as a laptop, tablet, or smart phone. Endpoint hacking is when these devices are broken into. Unfortunately, recovery is mostly impossible, so the only way to recover would be to delete the account, start a new one, and generate a new token.

How can I protect my association?


  • Encrypt files before uploading them to cloud services, this way hackers will only see encrypted data that will make no sense to them. Just don’t store the encryption key in the cloud as well.
  • Activating 2-step authentication would let the account owner know, by email, text, or call, that his or her account has been logged into from a new device. The only way the hacker can continue to log in is if the account owner verifies the device from the authentication message.
  • Set your cloud to send login alerts (if applicable), this means that you don’t need to verify a login, but you will receive a notification every time your account has been logged into on a new device.
  • Many organizations are starting to emphasize the importance of endpoint security. This means that organizations are monitoring more closely the remote devices that are potential entry points to the network.
  • Monitor and protect data resources in the cloud by watching the most important data and seeing if it has any unusual activity, such as being opened more than it normally would be. If it’s being accessed suspiciously more than usual, somebody might be scoping for information to take.

Can a man get into Alinity’s cloud?

Alinity is actually not susceptible to MITC hacking (yay!). Our clients’ passwords are encrypted one-way, so if a hacker was to get into Alinity, they would not be able to find any of our clients’ passwords, nor would they find anything very valuable. Alinity’s tokens are also not accessible because it is stored in a different place than the password. This means that the hacker would have to hack two parts of Alinity in order to get the information of one person. Making it twice as hard to get in!