The Cybersecurity and Infrastructure Security Agency (CISA) has advised users and organizations to strengthen their cloud security configurations after detecting multiple attacks targeting cloud services. In a security advisory, the agency stated that cybercriminals used advanced phishing and other attack vectors to exploit poorly configured cloud services.
Brute Force and Pass-the-Cookie Attacks
CISA claimed that attackers leveraged a variety of tactics and techniques, including phishing, brute force login attempts, and pass-the-cookie attacks to exploit loopholes in an organization’s cloud security practices.
In Pass-the-Cookie attack technique, the attacker compromises the cookies to gain unrestricted access to the victim’s resources. Even multi-factor authentication can be bypassed using this technique.
“These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA said.
- In several engagements, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.
- CISA determined that the malicious actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The adversaries updated the rule to forward all email to their accounts.
- Attackers also modified existing rules to search users’ email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to their accounts.
- In addition to modifying existing user email rules, they created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in a bid to prevent legitimate users from seeing the warnings.
How to Mitigate?
CISA also recommended certain security steps for organizations to strengthen their cloud security practices. These include:
- Implement conditional access (CA) policies based upon your organization’s needs.
- Establish a baseline for normal network activity within your environment.
- Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
- Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens.
- Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
- Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.