US government warns of cyberattacks targeting cloud services

Such attacks often occur when employees work remotely and use a mixture of personal and business devices to access cloud services.

securityistock000074977085leowolfert.jpg

Image: Leo Wolfert

Organizations with remote workers who use cloud-based services are being warned of several recent successful cyberattacks against those services.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic) 

More about cybersecurity

In an advisory issued on Wednesday, CISA (Cybersecurity and Infrastructure Security Agency) revealed that hackers have been employing successful phishing campaigns, brute force login attempts, and potentially pass-the-cookie attacks to exploit weaknesses in cloud security practices. In a pass-the-cookie attack, hackers steal cookies from a user’s browsing session so they can then access a certain site as the victim.

Based on CISA’s analysis, these kinds of attacks often occur when an organization’s employees work remotely and use a combination of corporate machines and personal devices to sign into different cloud services. Though the organizations and users may be protected by proper security, otherwise weak cyber hygiene habits pave the way for hackers to pull off successful cyberattacks.

SEE: Top 5 password hygiene security protocols companies should follow (TechRepublic)

In the observed phishing campaigns, attackers deployed emails with malicious links to try to capture login credentials for cloud service accounts. The emails appeared to be from a legitimate file hosting service, while the links seemed to point to secure messages, all in an attempt to trick the user. The attackers were then able to use the compromised accounts to send phishing emails to other employees within the targeted organization.

Weak cyber hygiene habits

The advisory cited some of the weak cyber hygiene habits that leave organizations more vulnerable to attack. In one instance, an organization failed to require a VPN to access its network. Though the terminal server was located inside the firewall, it was configured with port 80 open to allow for remote connections from employees. As a result, the hacker was able to exploit this flaw by launching brute force attacks.

On the positive side, many of the brute force attempts failed for two reasons. The attackers were unable to find the correct username and password credentials, and the organizations used multi-factor authentication (MFA) to control access to their cloud environment.

SEE: Identity theft protection policy (TechRepublic Premium)

However, at least one attacker was able to compromise a user’s account even with the proper use of MFA. CISA said it believes this attacker may have used browser cookies to thwart MFA via a pass-the-cookie attack.

In several other cases, remote workers set up email forwarding rules to automatically forward work emails to their personal accounts. By exploiting these rules, attackers were able to steal sensitive information. In one specific instance, the attackers found an existing rule that forwarded work emails to the receiver’s personal account and modified it to redirect the emails to their own account.

Beyond changing existing email rules, the hackers devised new rules that forwarded specific messages to the recipients’ RSS Feeds or RSS Subscriptions folder as a way to prevent phishing alerts from appearing.

Recommendations

To protect yourself, your organization, and your remote workers against these types of attacks, CISA offered a host of recommendations, some of which are:

  • Implement conditional access (CA) policies based on your organization’s needs.
  • Establish a baseline for normal network activity within your environment.
  • Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
  • Enforce multi-factor authentication.
  • Routinely review user-created email forwarding rules and alerts, or restrict forwarding. Consider restricting users from forwarding emails to accounts outside of your domain.
  • Focus on awareness and training. Make employees aware of the threats, such as phishing scams, and how they are delivered.
  • Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.
  • Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
  • Have a mitigation plan or procedures in place. Understand when, how, and why to reset passwords and to revoke session tokens.
  • Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Further, organizations that use Microsoft 365 should consider the following steps:

  1. Assign a few trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire Microsoft 365 environment for evidence of malicious activity.
  2. Disable PowerShell remoting to Exchange Online for regular Microsoft 365 users to lower the risk of a compromised account being used to access tenant configurations for reconnaissance.
  3. Do not allow an unlimited amount of unsuccessful login attempts. Look into password smart lockout configuration and sign-in activity reports.
  4. To investigate and audit intrusions and potential breaches, consider tools such as Sparrow or Hawk, which are open-source PowerShell-based tools used to gather information related to Microsoft 365.

“Managing IT hygiene and improving awareness against phishing continue to be themes that are hammered when discussing successful cyberattacks, but it’s critically important to acknowledge that perfection in both these cases is a fools errands and so CISA’s recommendation for a robust detection and response capability is spot on,” Tim Wade, technical director at the CTO Team for Vectra, told TechRepublic.

“Whether against known IT hygiene-related weaknesses, or unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding their name in a headline story on cyberattacks,” Wade said.

Toward that end, Wade offers the following cybersecurity tips:

  • Despite CISA’s recommendations to enable multi-factor authentication for all users without exception,  MFA bypass was observed to be part of this attack. It is important for organizations to recognize the importance of MFA even as they realize that it is not a silver bullet.
  • The malicious use of electronic discovery (eDiscovery) continues to be highlighted as a technique employed by threat actors, and organizations must be prepared to identify when eDiscovery tools are abused.
  • Mail-forwarding, as simple as it sounds, continues to evade security teams as an exfiltration and collection method.
  • On a practical level, the guidance to baseline an organization’s traditional IT and cloud networks is infeasible in practice without the use of artificial intelligence (AI) and machine learning (ML) techniques.

Also see