Cyber Security

CISA: Hackers bypassed MFA to access cloud service accounts

Published

on

In a new alert, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration. 

These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.

The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.

In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks, as well as  recommended mitigations for organization to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks.

According to Tim Wade, Technical Director, CTO Team at Vectra, “Managing IT hygiene and improving awareness against phishing continue to be themes that are hammered when discussing successful cyberattacks, but it’s critically important to acknowledge that perfection in both these cases is a fools errands and so CISA’s recommendation for a robust detection and response capability is spot on.  Whether against known IT hygiene related weaknesses, or unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding their name in a headline story on cyberattacks.

A few observations:

  • Despite CISA recommendations to enable Multi-factor authentication (MFA) on all users, without exception,  MFA bypass was observed to be part of this attack.  It is important for organizations to recognize the importance of MFA, even as they realize it is not a silver bullet.
  • The malicious use of electronic discovery (eDiscovery) continues to be highlighted as a technique employed by threat actors, and organizations must ensure they’re prepared to identify when eDiscovery tools are abused.
  • Mail-forwarding, as simple as it sounds, continues to evade security teams as an exfiltration and collection method.
  • On a practical level, the guidance to baseline an organization’s traditional IT and cloud networks is infeasible in practice without the use of AI and Machine Learning techniques.

Wade adds, “Most importantly, while preventative approaches may be necessary to raise the effort an adversary must exert to successfully attack an organization, a key take away of the last quarter must be that prevention will fail, and overreliance on prevention is a loser’s strategy. Unless and until organizations can successfully identify and disrupt attacks in real time, as an industry we will continue to see successfully executed attacks.”

Brendan O’Connor, CEO and Co-Founder at AppOmni, notes that phishing users for their passwords has been a problem for decades, and the best way to address that problem has been, and remains, ensuring 2 step authentication is enabled comprehensively and consistently.

O’Connor says, “The more dangerous, and stealthy, threat is when attackers find data that has been unintentionally exposed to the world. You don’t need to steal a user’s password if a misconfiguration or exposed API grants the entire Internet access to your sensitive data. Compromising a user through phishing may grant an attacker access to some, or all, of that users data. But misconfiguring a cloud service or exposing a privileged API may grant the outside world access to ALL of the data in the system. It’s the difference between stealing a hotel room key, or finding that all of the locks on all of the rooms aren’t working.”

Sound scary? It is, O’Connor says. Over the course of hundreds of risk assessments, AppOmni sees in more than 95% of cases that external users have access to sensitive data which should be restricted internally, he notes.” In more than half of all assessments we perform, we find critically sensitive data exposed to the anonymous Internet without any need for a password at all.”

Vishal Jain, CTO at Valtix, notes,“Cloud is all about automation. However, enterprises need to ensure that appropriate security controls are in place that can keep up with the automation that cloud presents. Leaders of these enterprises should also keep in mind that cloud is really perimeter-less, unlike their on-prem datacenter. Therefore, they need to be careful in bringing on-prem technologies and solutions to the cloud. Old solutions cannot make that leap.”

Source: https://www.securitymagazine.com/articles/94346-cisa-hackers-bypassed-mfa-to-access-cloud-service-accounts

Click to comment
Exit mobile version