The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that hackers are bypassing multi-factor authentication (MFA) protocols to breach cloud service accounts.
In a report, the CISA said it was aware of several recent successful cyber attacks against various organizations’ cloud services. Hackers used “phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”
"The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices,” said the report’s authors.
While brute force attacks using username and password combinations often fail because an organization had MFA enabled, CISA said in one incident, hackers successfully signed into a user’s account, despite MFA being enabled. In this case, CISA believed the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack. Such attacks hijack an authenticated session using stolen cookies to access web applications or online services.
In another attack, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.
“In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts,” said the report.
CISA also observed hackers creating new mailbox rules that forwarded certain messages received by the users—specifically, messages with certain phishing-related keywords—to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to prevent warnings from being seen by the legitimate users.
CISA added that these attacks were “not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.”
Eyal Wachsman, co-founder & CEO at BAS provider Cymulate, told ITPro that user authentication and credentials had become the new enterprise security perimeter. With many employees working remotely and accessing cloud services, they have become a lucrative target for attacks.
“Pass-the-Cookie attacks require a successful breach of the end user's workstation, and whether they are a personal device or an organization’s, assets have become a headache to secure for CISOs. They are challenged to enforce patching on these workstations and detection systems are blindsided with partial visibility leaving them extremely vulnerable. Added to the mix are well crafted Spear Phishing attacks that introduce malware or steal credentials through social engineering,” Wachsman said.
Wachsman added that to prevent these attacks, companies must increase phishing awareness. Employees should also log out from cloud services when they’re not using them, and companies should set the services to automatically kill inactive sessions, even for short periods.
“Becoming aware of your security posture is critical to discover and fix the weaknesses they find,” he said.
Niamh Muldoon, global data protection officer at OneLogin, told ITPro that security culture and maintaining security consciousness with your entire organization and end users is critical for identifying and responding to security threats, and following security processes.
“Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorization and assurance principles,” Muldoon said.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Google Authenticator 2FA update accused of making service less secureNews Lack of end-to-end encryption in code backup has some developers worried
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
What is multi-factor authentication (MFA) fatigue and how do you defend against attacks?In-depth Strong authentication is key to security, but it needs to be properly managed to avoid MFA fatigue
-
Beyond Identity strikes up strategic partnership with World Wide TechnologyNews WWT will implement Beyond Identity’s authentication platform internally while also acting as a global channel partner
-
Implementing strong authentication across your businessIn-depth Strong authentication is hugely important, but implementing any regime at scale is not without its challenges
