CISA details attacks on cloud services

The Cybersecurity and Infrastructure Security Agency said it verified an incident where threat actors may have defeated multifactor authentication to log into an organization’s cloud services. They likely used a “pass-the-cookie” attack that uses stolen session cookies to authenticate to web applications and services, CISA said.

The news came in a Jan. 14 analysis report that described attacks on cloud services that exploit phishing, email forwarding vulnerabilities and brute-force attacks. The bad actors generally infiltrated organizations by exploiting poor cyber hygiene associated with remote employees using both corporate laptops and personal devices to access their organization’s cloud services.

Phishing emails containing malicious links aimed to harvest user credentials for cloud service accounts. Some of those emails included a link to what appeared to be a secure message, and others what looked like a legitimate file hosting account login. After gaining access, the threat actors then sent emails from the victim’s account to phish other accounts within the organization. In some cases, CISA said, these emails included links to documents that appeared to be on the organization’s network.

When employees used an email rule to forward work mail to their personal accounts, threat actors sometimes changed the forwarding rule to route email to themselves. In other cases, the attackers modified existing rules to search for finance-related keywords in a victim’s email and then forwarded themselves those emails. Another technique forwarded emails containing keywords the attackers were interested in to a RSS subscription folder the victim was unlikely to check.

CISA recommended include the usual security practices: requiring multifactor authentication, deploying filtering and detection products, monitoring logs, securing privileged access, limiting the use of personal devices, auditing email rules and stepped-up training

Additionally, CISA suggests organizations using cloud services:

• Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol ports.
• Disable PowerShell remoting to Exchange Online for regular Microsoft 365 users.
• Do not allow an unlimited amount of unsuccessful login attempts.

Organizations should also conduct forensic content searches across the entire Microsoft 365 environment – including mailboxes, Teams, SharePoint and OneDrive -- for evidence of malicious activity. Using open-source PowerShell-based tools, IT teams can investigate and audit intrusions and potential breaches in Azure/Office 365.

This article first appeared on GCN.