Hackers were able to bypass multi-factor authentication (MFA) in at least one case in a recent spate of attacks on cloud service accounts, according to a warning issued by the US Cybersecurity and Infrastructure Security Agency (CISA).

Security busted

(ISC)² and the CSA will offer a new Certified Cloud Security Professional (CCSP) credential
– Thinkstock / maxkabakov

“CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices,” the Agency warned last night.

It has also released an analysis based on the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to help organizations respond.

“The cyber threat actors involved in these attacks used a variety of tactics and techniques – including phishing, brute force login attempts, and possibly a ‘pass-the-cookie’ attack – to attempt to exploit weaknesses in the victim organizations’ cloud security practices,” the analysis warned.

Pass-the-cookie attacks involve attackers stealing authentication cookies from the browsers of compromised PCs. This enables attackers to bypass various authentication protocols because the cookie embodies the final authentication token issued after all the security measures have been passed. Furthermore, such cookies can persist for an extended period of time, providing plenty of time and leeway for attackers.

The Agency also warned that the attackers did not stop there, but sought to compromise further accounts by using their initial account compromise to phish other accounts in the same organization, using the organization’s own hosting service to host their own malicious attachments, making them appear more authentic.

“In one case, an organization did not require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it - leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts,” added the analysis.

CISA issued a number of recommendations to organizations running services in the cloud to help further improve their security. These include, among a number of other measures:

  • Implement conditional access (CA) policies based upon your organization's needs;
  • Establish a baseline for normal network activity within your environment;
  • Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity;
  • Enforce MFA; and,
  • Routinely review user-created email forwarding rules and alerts, or restrict forwarding.

The warning follows on from a supply-chain attack in SolarWinds, a major supplier of remote monitoring and management tools, last year. That attack potentially compromised a number of US government agencies in a campaign that has been linked with the Russian government. However, CISA added that its latest warning is not necessarily linked to the same group behind the SolarWinds attack.

It also comes at a time when organizations are looking to cloud to better handle surges in demand and as a means of navigating the mid- and post-pandemic world.

Further reading