The US Cybersecurity and Infrastructure Security Agency (CISA) said today that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.
“CISA is conscious of several recent successful cyberattacks against various organizations’ cloud services,” the cybersecurity agency said on Wednesday.
“The cyber threat actors involved in these attacks used a spread of tactics and techniques—including phishing, brute force login attempts, and possibly a ‘pass-the-cookie’ attack—to plan to exploit weaknesses in the victim organizations’ cloud security practices.”
Enabling MFA is not always enough
While threat actors tried gaining access to a number of their targets’ cloud assets via brute force attacks, they failed thanks to their inability to guess the right credentials or because the attacked organization had MFA authentication enabled.
However, in a minimum of one incident, attackers were ready to successfully sign into a user’s account albeit the target had multi-factor authentication (MFA) enabled.
CISA believes that the threat actors were ready to defeat MFA authentication protocols as a part of a ‘pass-the-cookie’ attack during which attackers hijack an already authenticated session using stolen session cookies to log into online services or web apps.
The agency also observed attackers using initial access gained after phishing employee credentials to phish other user accounts within an equivalent organization by abusing what seemed like the organization’s file hosting service to host their malicious attachments.
In other cases, the threat actors were seen modifying or fixing email forwarding rules and search rules to automatically collect sensitive and financial information from compromised email accounts.
“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an attempt to stop warnings from being seen by the legitimate users,” CISA added.
The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.
Attacks not linked to SolarWinds hackers
CISA also said that this activity isn’t explicitly linked to the threat actors behind the SolarWinds supply-chain attack or the other recent malicious activity.
The attacks CISA refers to possess regularly targeted employees who used company-provided or personal devices while accessing their organizations’ cloud services from home.
Weak cyber hygiene practices were the most cause behind the success of the attacks, despite the utilization of security solutions.
Information shared today is exclusively collected during several CISA incident response engagements and it also contains “recommended mitigations for organizations to strengthen their cloud environment configuration to guard against, detect, and respond to potential attacks.”
Today’s advisory also provides indicators of compromise and tactics, techniques, and procedures (TTPs) which will further help admins and security teams to effectively answer attacks targeting their organizations’ cloud assets.
CISA’s advisory contains measures organizations can fancy to strengthen their cloud security configurations and block attacks targeting their cloud services.
Last Friday, the agency issued another security alert regarding the SolarWinds threat actor’s use of password spraying and password guessing attacks, also as exploiting poorly secured credentials to breach victims instead of using the Sunburst backdoor.
A National Security Agency advisory from December 2020 also warned of hackers forging cloud authentication info to realize access to targets’ access cloud resources.