Jump to content

CISA: Hackers bypassed MFA to access cloud service accounts


Recommended Posts

CISA: Hackers bypassed MFA to access cloud service accounts

 

DHS-CISA.jpg

 

The US Cybersecurity and Infrastructure Security Agency (CISA) said today that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.

"CISA is aware of several recent successful cyberattacks against various organizations’ cloud services," the cybersecurity agency said on Wednesday.

"The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices."

Enabling MFA is not always enough

While threat actors tried gaining access to some of their targets' cloud assets via brute force attacks, they failed due to their inability to guess the correct credentials or because the attacked organization had MFA authentication enabled.

 

However, in at least one incident, attackers were able to successfully sign into a user's account even though the target had multi-factor authentication (MFA) enabled.

 

CISA believes that the threat actors were able to defeat MFA authentication protocols as part of a 'pass-the-cookie' attack in which attackers hijack an already authenticated session using stolen session cookies to log into online services or web apps.

 

The agency also observed attackers using initial access gained after phishing employee credentials to phish other user accounts within the same organization by abusing what looked like the organization’s file hosting service to host their malicious attachments.

 

In other cases, the threat actors were seen modifying or setting up email forwarding rules and search rules to automatically collect sensitive and financial information from compromised email accounts.

"In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users," CISA added.

 

The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.

Attacks not linked to SolarWinds hackers

CISA also said that this activity is not explicitly linked to the threat actors behind the SolarWinds supply-chain attack or any other recent malicious activity.

 

The attacks CISA refers to have regularly targeted employees who used company-provided or personal devices while accessing their organizations' cloud services from home.

 

Weak cyber hygiene practices were the main cause behind the success of the attacks, despite the use of security solutions.

 

Information shared today is exclusively collected during several CISA incident response engagements and it also contains "recommended mitigations for organizations to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks."

 

Today's advisory also provides indicators of compromise and tactics, techniques, and procedures (TTPs) that can further help admins and security teams to effectively respond to attacks targeting their organizations' cloud assets.

 

CISA's advisory contains measures organizations can take to strengthen their cloud security configurations and block attacks targeting their cloud services.

 

Last Friday, the agency issued another security alert regarding the SolarWinds threat actor's use of password spraying and password guessing attacks, as well as exploiting poorly secured credentials to breach victims instead of using the Sunburst backdoor.

 

A National Security Agency advisory from December 2020 also warned of hackers forging cloud authentication info to gain access to targets' access cloud resources.

 

 

Source: CISA: Hackers bypassed MFA to access cloud service accounts

  • Like 2
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...