Share this article on:
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are exploiting poor cyber hygiene to gain access to enterprise cloud environments. The alert was issued after CISA observed a surge in attacks on organizations that have transitioned to a largely remote workforce in response to the pandemic.
While some of the tactics outlined in the report may have been used by the hackers behind the SolarWinds Orion supply chain attack, these tactics have not been tied to any specific threat group and are being used by multiple threat actors to gain access cloud environments and obtain sensitive data.
According to the alert, threat actors are using a variety of tactics, techniques, and procedures to attack cloud environments, including brute force attacks to guess weak passwords, phishing attacks, and the exploitation of unpatched vulnerabilities and weaknesses in cloud security practices.
Phishing is commonly used to obtain credentials to remotely access cloud resources and applications. The phishing emails typically include hyperlinks to malicious websites where credentials are harvested. If multi-factor authentication has not been implemented, the credentials can be used by the attackers to access cloud resources. The phishing emails often appear to be secure messages and link to seemingly legitimate file hosting account logins. The compromised email accounts are then used to send further phishing emails internally to other employees. These internally sent phishing emails often link to documents within what appears to be the organization’s file hosting service.
There have been cases where auto-forwarding rules have been set up in the compromised email accounts to collect sensitive emails, or for search rules to be set up to locate and collect sensitive data. “In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” explained CISA.
In addition to using phishing emails to steal login credentials, brute force tactics are used to guess weak passwords. In many cases, brute force and phishing attacks have succeeded but were thwarted by multi-factor authentication, which prevented the stolen credentials from being used; however, CISA identified one attack where multi-factor authentication was bypassed to gain access to cloud resources using ‘pass-the-cookie’ tactics. A pass-the-cookie attack involves the use of a stolen cookie for an already authenticated session to log into online services or web apps. These attacks can succeed even if an organization has correctly implemented multi-factor authentication.
Threat actors have been targeting employees who work remotely using personally owned or company provided devices to access their organization’s cloud resources from home. While organizations have implemented security solutions to block these attacks, many have succeeded as a result of poor cyber hygiene practices.
In the alert, CISA details best practices that can be adopted to improve cyber hygiene and strengthen cloud security configurations to block attacks on cloud services. These include implementing conditional access, reviewing Active Directory sign-in logs and unified audit logs for suspicious activity, enforcing MFA for all users, reviewing email forwarding rules regularly, following guidance on securing privileged access, resolving client site requests internal to the network, and recommends IT teams should adopt a zero-trust mindset. Specific recommendations have also been provided to help enterprise organizations secure their M365 environments.
Enterprise organizations have been advised to read the Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Analysis Report and implement the recommendations.