CISA: Hackers bypassed MFA to access cloud service accounts

In a new alert, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.

These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.

The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.

In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks, as well as recommended mitigations for organization to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks.

According to Tim Wade, Technical Director, CTO Team at Vectra, “Managing IT hygiene and improving awareness against phishing continue to be themes that are hammered when discussing successful cyberattacks, but it’s critically important to acknowledge that perfection in both these cases is a fools errands and so CISA’s recommendation for a robust detection and response capability is spot on. Whether against known IT hygiene related weaknesses, or unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding their name in a headline story on cyberattacks.

A few observations:

Despite CISA recommendations to enable Multi-factor authentication (MFA) on all users, without exception, MFA bypass was observed to be part of this attack. It is important for organizations to recognize the importance of MFA, even as they realize it is not a silver bullet.
The malicious use of electronic discovery (eDiscovery) continues to be highlighted as a technique employed by threat actors, and organizations must ensure they’re prepared to identify when eDiscovery tools are abused.
Mail-forwarding, as simple as it sounds, continues to evade security teams as an exfiltration and collection method.
On a practical level, the guidance to baseline an organization’s traditional IT and cloud networks is infeasible in practice without the use of AI and Machine Learning techniques.

Wade adds, "Most importantly, while preventative approaches may be necessary to raise the effort an adversary must exert to successfully attack an organization, a key take away of the last quarter must be that prevention will fail, and overreliance on prevention is a loser’s strategy. Unless and until organizations can successfully identify and disrupt attacks in real time, as an industry we will continue to see successfully executed attacks.”

Brendan O’Connor, CEO and Co-Founder at AppOmni, notes that phishing has been a problem for decades. He suggests the best way to address that problem is to ensure two-step authentication is enabled comprehensively and consistently.

O'Connor says, "The more dangerous, and stealthy, threat is when attackers find data that has been unintentionally exposed to the world. You don’t need to steal a user’s password if a misconfiguration or exposed API grants the entire Internet access to your sensitive data. Compromising a user through phishing may grant an attacker access to some, or all, of that users data. But misconfiguring a cloud service or exposing a privileged API may grant the outside world access to ALL of the data in the system. It's the difference between stealing a hotel room key, or finding that all of the locks on all of the rooms aren’t working."

Sound scary? It is, O'Connor says. Over the course of hundreds of risk assessments, AppOmni sees in more than 95% of cases that external users have access to sensitive data which should be restricted internally, he notes." In more than half of all assessments we perform, we find critically sensitive data exposed to the anonymous Internet without any need for a password at all.”

Vishal Jain, CTO at Valtix, notes, “Cloud is all about automation. However, enterprises need to ensure that appropriate security controls are in place that can keep up with the automation that cloud presents. Leaders of these enterprises should also keep in mind that cloud is really perimeter-less, unlike their on-prem datacenter. Therefore, they need to be careful in bringing on-prem technologies and solutions to the cloud. Old solutions cannot make that leap.”

Stefano De Blasi, Threat Researcher at Digital Shadows, a San Francisco, Calif.-based provider of digital risk protection solutions, says, "The cyberattacks detailed by the Cybersecurity and Infrastructure Security Agency (CISA) highlight, once again, how phishing attacks remain highly successful despite being one of the most known threats in the security landscape. These attacks use social engineering techniques to lure users into clicking on malicious links, inadvertently disclosing credentials and personally identifiable information (PII)."

De Blasi adds, "This threat is even more pressing when organizations are not following standard cyber hygiene practices. Applying preventive measures can be a time-consuming task for organizations worried about business continuity but can go a long way in minimizing their attack surface. For example, as many organizations are transitioning to cloud hosting services, using a Virtual Private Network (VPN) is fundamental to ensure that remote workers can securely access corporate networks. Successfully preventing phishing attacks requires a two-fold approach given the hybrid nature of this threat. From a defensive point of view, security teams can update all systems with the latest security patches, have anti-virus software properly installed, and use a web filter that blocks malicious websites. Additionally, as phishing attacks exploit human behavior, it is fundamental to provide employees with frequent and consistent training that includes critically evaluating links and attachments, and how to report suspicious emails."

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.