Septu comment: This article refers to the Cybersecurity and Infrastructure Security Agency analysis report that came out yesterday regarding MFA bypass (the report says there is no link to SolarWinds but I don’t really buy that, as M365 is mentioned a number of times, and CISA put out a report about five days ago about ‘threat activity in Microsoft cloud environments’ resulting from the SolarWinds compromise). CISA recommends enforcement of MFA, and recognises that it has successfully protected a number of accounts that were recently targeted with brute force techniques. However, they also warn that MFA can – in some cases – be circumvented by techniques such as ‘pass-the-cookie’ whereby an attacker effectively steals the key generated by a bona fide authentication done in one place, and uses it elsewhere for malicious purposes.
The US Cybersecurity and Infrastructure Security Agency (CISA) said today that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.
“CISA is aware of several recent successful cyberattacks against various organizations’ cloud services,” the cybersecurity agency said on Wednesday.
“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a ‘pass-the-cookie’ attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.”
Enabling MFA is not always enough
While threat actors tried gaining access to some of their targets’ cloud assets via brute force attacks, they failed due to their inability to guess the correct credentials or because the attacked organization had MFA authentication enabled.
CISA believes that the threat actors were able to defeat MFA authentication protocols as part of a ‘pass-the-cookie’ attack in which attackers hijack an already authenticated session using stolen session cookies to log into online services or web apps.
The agency also observed attackers using initial access gained after phishing employee credentials to phish other user accounts within the same organization by abusing what looked like the organization’s file hosting service to host their malicious attachments.
In other cases, the threat actors were seen modifying or setting up email forwarding rules and search rules to automatically collect sensitive and financial information from compromised email accounts.
“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” CISA added.
The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.
Attacks not linked to SolarWinds hackers
CISA also said that this activity is not explicitly linked to the threat actors behind the SolarWinds supply-chain attack or any other recent malicious activity.
The attacks CISA refers to have regularly targeted employees who used company-provided or personal devices while accessing their organizations’ cloud services from home.
Weak cyber hygiene practices were the main cause behind the success of the attacks, despite the use of security solutions.
Information shared today is exclusively collected during several CISA incident response engagements and it also contains “recommended mitigations for organizations to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks.”
Today’s advisory also provides indicators of compromise and tactics, techniques, and procedures (TTPs) that can further help admins and security teams to effectively respond to attacks targeting their organizations’ cloud assets.
CISA’s advisory contains measures organizations can take to strengthen their cloud security configurations and block attacks targeting their cloud services.
Last Friday, the agency issued another security alert regarding the SolarWinds threat actor’s use of password spraying and password guessing attacks, as well as exploiting poorly secured credentials to breach victims instead of using the Sunburst backdoor.
A National Security Agency advisory from December 2020 also warned of hackers forging cloud authentication info to gain access to targets’ access cloud resources.
Source: bleeping computer