Criminals are Bypassing MFA to Access Organisation's Cloud Services
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to companies to better protect their cloud-based accounts after several recent successful attacks.
According to an advisory published by CISA, an increasing number of attacks have succeeded as more employees have begun to work remotely with a variety of corporate laptops and personal devices during the COVID-19 pandemic.
CISA has observed that the attackers have used a variety of techniques, including phishing and brute force login attempts to exploit human weaknesses and the security configuration of corporate cloud accounts.
In one case, described in the advisory, an organisation failed to require use of a VPN when accessing its corporate network, and the intentionally lax configuration designed to make it easier for remote workers to access systems left the organisation’s network vulnerable to anybody to access through a brute-force login attack.
In other instances, malicious hackers had been seen phishing for users’ cloud service account login credentials through email phishing attacks that claimed to link to a “secure message” hosted on a legitimate site which required users to login.
“After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain initial access to the user’s cloud service account.” “CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location). The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service.”
Perhaps most interestingly of all, CISA warned that it had seen evidence that cybercriminals had successfully bypassed the highly-recommended security measure of multi-factor authentication (MFA) to compromise cloud service accounts.
In the case it cited, CISA said it believed the malicious hackers may have used a “pass-the-cookie” attack to waltz around MFA.
It’s worth bearing in mind that although multi-factor authentication is undoubtedly an excellent way to harden your security and make it harder for criminals to break into an account, that does not mean that it makes it impossible for a determined hacker.
For instance, in March 2018 the cryptocurrency exchange Binance halted all withdrawals after emergency systems spotted a two minute period of abnormal trading activity.
It later transpired that phishing attacks had taken users to a site purporting to be Binance, which asked them to enter their password and MFA codes. As the MFA code remained valid for 30 seconds, it could be used by the attackers to generate a trading API key for the genuine site.
Although it’s clear that attackers can circumvent MFA through social engineering and technical attacks, that doesn’t mean that you shouldn’t use it. In Microsoft’s own words, “your account is more than 99.9% less likely to be compromised if you use MFA.”
Clearly, users still need to be cautious that they are only entering their MFA codes on genuine sites, and not on a bogus site created by an attacker in an attempt to steal and use them for their own ends.
Once they have gained access to a company’s cloud-based service, of course, a cybercriminal has many tricks up their sleeve – including being able to gather information about an organisation, exfiltrate data, attack the systems of other employees and partners, and set up mail-forwarding rules to continue to access sensitive information even if login credentials are later changed to block future access.
CISA has published a long list of recommendations on its website that can help organisations strengthen their cloud security practices, including the enforcement of multi-factor authentication, restrictions on email forwarding, a recommendation not to use personal devices for work, and a focus on security awareness training for employees.
According to an advisory published by CISA, an increasing number of attacks have succeeded as more employees have begun to work remotely with a variety of corporate laptops and personal devices during the COVID-19 pandemic.
CISA has observed that the attackers have used a variety of techniques, including phishing and brute force login attempts to exploit human weaknesses and the security configuration of corporate cloud accounts.
In one case, described in the advisory, an organisation failed to require use of a VPN when accessing its corporate network, and the intentionally lax configuration designed to make it easier for remote workers to access systems left the organisation’s network vulnerable to anybody to access through a brute-force login attack.
In other instances, malicious hackers had been seen phishing for users’ cloud service account login credentials through email phishing attacks that claimed to link to a “secure message” hosted on a legitimate site which required users to login.
“After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain initial access to the user’s cloud service account.” “CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location). The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service.”
Perhaps most interestingly of all, CISA warned that it had seen evidence that cybercriminals had successfully bypassed the highly-recommended security measure of multi-factor authentication (MFA) to compromise cloud service accounts.
In the case it cited, CISA said it believed the malicious hackers may have used a “pass-the-cookie” attack to waltz around MFA.
It’s worth bearing in mind that although multi-factor authentication is undoubtedly an excellent way to harden your security and make it harder for criminals to break into an account, that does not mean that it makes it impossible for a determined hacker.
For instance, in March 2018 the cryptocurrency exchange Binance halted all withdrawals after emergency systems spotted a two minute period of abnormal trading activity.
It later transpired that phishing attacks had taken users to a site purporting to be Binance, which asked them to enter their password and MFA codes. As the MFA code remained valid for 30 seconds, it could be used by the attackers to generate a trading API key for the genuine site.
Although it’s clear that attackers can circumvent MFA through social engineering and technical attacks, that doesn’t mean that you shouldn’t use it. In Microsoft’s own words, “your account is more than 99.9% less likely to be compromised if you use MFA.”
Clearly, users still need to be cautious that they are only entering their MFA codes on genuine sites, and not on a bogus site created by an attacker in an attempt to steal and use them for their own ends.
Once they have gained access to a company’s cloud-based service, of course, a cybercriminal has many tricks up their sleeve – including being able to gather information about an organisation, exfiltrate data, attack the systems of other employees and partners, and set up mail-forwarding rules to continue to access sensitive information even if login credentials are later changed to block future access.
CISA has published a long list of recommendations on its website that can help organisations strengthen their cloud security practices, including the enforcement of multi-factor authentication, restrictions on email forwarding, a recommendation not to use personal devices for work, and a focus on security awareness training for employees.
