Cloud Attacks Are Bypassing MFA, Warns CISA in US!

Share This Post

CISA in the US has issued an alert warning that cloud services at US organisations are being actively & successfully targeted.

The Feds are warning that cyber-criminals are bypassing Multi-Factor Authentication (MFA) & successfully attacking cloud services at various US organisations.

Says an alert issued on Wed. by the US Cyber-Security & Infrastructure Security Agency (CISA), there have been “several recent successful cyber-attacks” focused on compromising the cloud. Most of the attacks are opportunistic, taking advantage of poor cloud cyber-hygiene & misconfigurations, according to the agency.

Cloud Services

“These types of attacks frequently occurred when victim organisations’ employees worked remotely & used a mixture of corporate laptops & personal devices to access their respective cloud services,” the alert outlined.

“Despite the use of security tools, affected organisations typically had weak cyber-hygiene practices that allowed threat actors to conduct successful attacks.”

In 1 case, an organisation did not need a virtual private network (VPN) for remote employees accessing the corporate network.

Firewall

“Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organisation’s network vulnerable to brute-forcing,” CISA explained.

The agency also noted that phishing & possibly a “pass-the-cookie” attack have been the primary attack routes for the cloud attacks.

Phishing & Bypassing MFA

Regarding phishing, targets are being sent emails containing malicious links, which purport to take users to a “secure message.” Other emails masquerade as alerts for legitimate file hosting services. In both cases, the links take targets to a phishing page, where they are asked to provide account credentials. The cyber-criminals thus harvest these & use them to log into cloud services.

“CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location),” says the alert.

“The actors then sent emails from the user’s account to phish other accounts within the organisation. In some cases, these emails included links to documents within what appeared to be the organisation’s file-hosting service.”

 

Bypass MFA

Also, attackers have been able to bypass MFA using a “pass-the-cookie” attack. Browser cookies are used to store user authentication information so a website can keep a user signed in.

The authentication information is stored in a cookie after the MFA test is satisfied, so the user is not prompted for an MFA check again.

Thus, if attackers extract the right browser cookies they can authenticate as a targeted user in a separate browser session, bypassing all MFA checkpoints.

As explained in a recent posting from Stealthbits, an attacker would need to convince a user to click on a phishing email or otherwise compromise a user’s system, after which it is possible to execute code on the machine.

Appropriate Cookie

A simple command would allow an attacker to extract the appropriate cookie.

“It is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it,” explained Roger Grimes, Data-Driven Defence Evangelist at KnowBe4.

Magical Defence

“If you think you are far less likely to be hacked because of MFA & that is not true, then you are more likely to let your defences down. If you understand how MFA can be attacked, & share that with the end users of the MFA & designers of the systems that it relies on, you are more likely to get a better, less risky outcome.

The key is to realise that everything can be hacked. MFA does not impart some special, magical defence that no hacker can penetrate. Instead, strong security awareness training around any MFA solution is crucial, because to do otherwise is to be unprepared & more at risk.”

Exploiting Forwarding Rules

CISA commented that it has also observed threat players, post-initial compromise, collecting sensitive information by taking advantage of email forwarding rules.

Forwarding rules let users to send work-emails to their personal email accounts – a useful thing for remote workers.

CISA said that it has observed threat actors modifying an existing email rule on a user’s account to redirect the emails to attacker-controlled accounts.

Finance-Related Keywords

“Threat actors also modified existing rules to search users’ email messages (subject & body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors’ account,” according to the agency.

“The threat actors also created new mailbox rules that forwarded certain messages received by the users, specifically, messages with certain phishing-related keywords to the legitimate users’ RSS  Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.”

Cloud Security

Cloud adoption, hastened by CoVID-19 work realities, will only accelerate in the year ahead with software-as-a-service, cloud-hosted processes & storage driving the charge. A study by Rebyc found that 35% of companies polled stated that they plan to accelerate work migration to the cloud in 2021.

Budget allocations to cloud security will double as companies wish to protect cloud buildouts in 2021, according to Gartner.

“Companies by shifting the responsibility & work of running hardware & software infrastructure to cloud providers, leveraging the economics of cloud elasticity, benefiting from the pace of innovation in sync with public cloud providers, & more,” commented David Smith, distinguished VP Analyst at Gartner.

Vulnerabilities

So, cloud applications & environments are increasingly in the viewfinder of attackers. In Dec. for example, the National Security Agency (NSA) issued a warning that threat players have developed techniques to use vulnerabilities in on-premises network access to compromise the cloud.

“Malicious cyber-actors are abusing trust in federated authentication environments to access protected data,” this advisory read. “The exploitation occurs after the actors have gained initial access to a victim’s on-premises network.

Privileged Access

The players use privileged access in the on-premises environment to subvert the mechanisms that the organisation uses to grant access to cloud & on-premises resources, and/or to compromise administrator credentials with the ability to manage cloud resources.”

Virtual Conference January 2021

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds