If the attacker is not looking for stealthiness and persistence, another possible attack scenario would be to encrypt all of the files in the user's account and ask for a ransom to decrypt them -- an approach used successfully in recent years by ransomware programs.
According to Amichai Shulman, the chief technology officer at Imperva, these attacks against file synchronization services would be very hard to detect by antivirus programs, because the Switcher is not performing any unusual activity that could be interpreted as malware behavior.
The program is made up of just ten lines of code that read and write to files and registry keys that other applications also modify, he said. The WMI task that gets left behind is not unusual either because a lot of other applications create WMI tasks for various reasons, he added.
In addition, the Switcher might not even get stored on disk and would remove itself after setting up the conditions for the attack.
Security products operating at the network perimeter wouldn't be able to block the traffic because it's encrypted by default and it's generated by known, legitimate file synchronization applications organizations have approved.
Right now none of the tested services notify users that their accounts have been accessed from a new location, like some websites do. Some of them allow users to view the recent activity for their accounts which could reveal the unauthorized access from an unusual location or IP address, but they don't actually alert users via email when that happens, according to the Imperva researchers.
Even if such a compromise would be detected, recovering from it could be problematic because in some cases the access tokens remain valid even if users change their passwords. The only way to recover in those situations is to actually delete the account and create a new one, the researchers said in a report that will be released Wednesday at the Black Hat security conference in Las Vegas.
Attackers have already shown an interest in abusing trusted cloud services or social media sites, both to exfiltrate data and for command and control. In December, security researchers from Blue Coat reported an attack campaign against military, diplomatic and business targets that used a Swedish file synchronization service called CloudMe for command and control. FireEye recently reported that a Rusian cyberespionage group known as Hammertoss used cloud storage services to exfiltrate data from organizations.
At the BSides security conference this week, also in Las Vegas, software developers Gabriel Butterick, Dakota Nelson and Byron Wasti released a framework that can create an encrypted covert communication channel for malware by using images, audio clips and text messages posted on social media sites like Twitter, SoundCloud and Tumblr.
Sign up for Computerworld eNewsletters.