Cloud Attacks Are Bypassing MFA, Feds Warn

cloud attacks mfa bypass

CISA has issued an alert warning that cloud services at U.S. organizations are being actively and successfully targeted.

The Feds are warning that cybercriminals are bypassing multi-factor authentication (MFA) and successfully attacking cloud services at various U.S. organizations.

According to an alert issued Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), there have been “several recent successful cyberattacks” focused on compromising the cloud. Most of the attacks are opportunistic, taking advantage of poor cloud cyber-hygiene and misconfigurations, according to the agency.

“These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,” the alert outlined. “Despite the use of security tools, affected organizations typically had weak cyber-hygiene practices that allowed threat actors to conduct successful attacks.”

2020 Reader Survey: Share Your Feedback to Help Us Improve

For instance, in one case, an organization did not require a virtual private network (VPN) for remote employees accessing the corporate network.

“Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable [to brute-forcing],” CISA explained.

The agency also noted that phishing and possibly a “pass-the-cookie” attack have been the primary attack vectors for the cloud attacks.

Phishing and Bypassing MFA

On the phishing front, targets are being sent emails containing malicious links, which purport to take users to a “secure message.” Other emails masquerade as alerts for legitimate file hosting services. In both cases, the links take targets to a phishing page, where they’re asked to provide account credentials. The cybercriminals thus harvest these and use them to log into cloud services.

“CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location),” according to the alert. “The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file-hosting service.”

Meanwhile, attackers have been able to bypass MFA using a “pass-the-cookie” attack. Browser cookies are used to store user authentication information so a website can keep a user signed in. The authentication information is stored in a cookie after the MFA test is satisfied, so the user isn’t prompted for an MFA check again.

Thus, if attackers extract the right browser cookies they can authenticate as a targeted user in a separate browser session, bypassing all MFA checkpoints. As explained in a recent posting from Stealthbits, an attacker would need to convince a user to click on a phishing email or otherwise compromise a user’s system, after which it’s possible to execute code on the machine. A simple command would allow an attacker to extract the appropriate cookie.

“It is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it,” said Roger Grimes, data-driven defense evangelist at KnowBe4, via email. “If you think you’re far less likely to be hacked because of MFA (and that isn’t true), then you are more likely to let your defenses down. But if you understand how MFA can be attacked, and share that with the end users of the MFA and designers of the systems that it relies on, you’re more likely to get a better, less risky outcome. The key is to realize that everything can be hacked. MFA doesn’t impart some special, magical defense that no hacker can penetrate. Instead, strong security awareness training around any MFA solution is crucial, because to do otherwise is to be unprepared and more at risk.”

Exploiting Forwarding Rules

CISA said that it has also observed threat actors, post-initial compromise, collecting sensitive information by taking advantage of email forwarding rules.

Forwarding rules allow users to send work emails to their personal email accounts – a useful feature for remote workers.

CISA said that it has observed threat actors modifying an existing email rule on a user’s account to redirect the emails to attacker-controlled accounts.

“Threat actors also modified existing rules to search users’ email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors’ account,” according to the agency. “The threat actors [also] created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ RSS  Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.”

Cloud Security

Cloud adoption, spurred by pandemic work realities, will only accelerate in the year ahead with software-as-a-service, cloud-hosted processes and storage driving the charge. A study by Rebyc found that 35 percent of companies surveyed said they plan to accelerate workload migration to the cloud in 2021.

Budget allocations to cloud security will double as companies look to protect cloud buildouts in the year ahead, according to Gartner.

“[Companies] by shifting the responsibility and work of running hardware and software infrastructure to cloud providers, leveraging the economics of cloud elasticity, benefiting from the pace of innovation in sync with public cloud providers, and more,” said David Smith, distinguished VP Analyst at Gartner.

Accordingly, cloud applications and environments are increasingly in the sights of attackers. In December for instance, the National Security Agency issued a warning that threat actors have developed techniques to leverage vulnerabilities in on-premises network access to compromise the cloud.

“Malicious cyber-actors are abusing trust in federated authentication environments to access protected data,” the advisory read. “The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.”

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.



Suggested articles