The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has given an alert concerning the exploitation of poor cyber hygiene by threat actors to obtain access to business cloud environments. The alert was given after CISA noticed a spike in attacks on companies that have switched to a mostly remote workforce because of the pandemic.
Although the hackers associated with the SolarWinds Orion supply chain attack used a few of the techniques specified in the report, these techniques were not tied up to any particular threat group. Several threat actors are using the techniques to get access to cloud environments and steal sensitive information.
As per the alert, threat actors are employing various methods, techniques, and processes to attack cloud environments. They use phishing attacks, brute force attacks to guess weak passwords, and unpatched vulnerabilities exploitation and exploitation of cloud security practices weaknesses.
Phishing is frequently employed to acquire credentials to remotely access cloud assets and programs. Phishing emails usually consist of links to malicious web pages where credentials are collected. When there’s no multi-factor authentication, the attackers could utilize credentials to access online resources. Phishing emails usually seem to be safe messages and hyperlinks to seemingly legit file hosting account services. The breached email accounts are then utilized to dispatch more phishing emails to other employees within the organization. These phishing emails that were sent internally usually link to files within what seems to be the company’s file hosting service.
There were instances where auto-forwarding protocols were created in the breached email accounts to gather sensitive emails, or to set up search rules to identify and gather sensitive information. “Besides changing current user email rules, the threat actors made new mailbox rules that sent a number of messages obtained by the users (particularly, messages with a number of keywords related to phishing) to the legit users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to try to avoid legitimate users from seeing the warnings.
Besides employing phishing emails to acquire login information, brute force tactics are employed to speculate weak passwords. In a lot of instances, brute force and phishing attacks were successful but were foiled by multi-factor authentication, which averted the use of stolen credentials; nevertheless, CISA discovered one attack wherein the attacker bypassed multi-factor authentication to obtain access to cloud sources utilizing ‘pass-the-cookie’ techniques. A pass-the-cookie attack entails using a stolen cookie for a previously authenticated session to sign into online solutions or web applications. These attacks could succeed regardless if a company has properly integrated multi-factor authentication.
Threat actors are targeting remote workers utilizing personally owned devices or company-issued devices to connect to their company’s cloud resources. Although companies have enforced security solutions to prohibit these attacks, a lot had become successful due to poor cyber hygiene procedures.
In the notification, CISA specified the following best practices that could be followed to strengthen cyber hygiene and reinforce cloud security configurations to prevent attacks on cloud solutions.
- Apply for conditional access
- Review Active Directory logs and unified audit logs for suspicious activity
- Enforce MFA for all users
- Review email forwarding guidelines on a regular basis
- Adhere to guidance on protecting privileged access
- Resolve client site requests internal to the network
- IT teams must follow a zero-trust mindset
Specific suggestions were also given to help business organizations protect their M365 environments.
Enterprise companies can read the Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Analysis Report on this page and carry out the recommendations.