Written by: Jay H.
According to the US Cybersecurity and Infrastructure Security Agency, weak cyber hygiene practices are responsible for a string of new successful cloud attacks. Despite having security measures such as multi-factor authentication (MFA), other bad practices allowed cybercriminals to conduct cloud attacks on organizations.
The attackers used various methods, including phishing, brute force login attempts, and “pass-the-cookie” attacks, to exploit weaknesses in the organization’s cloud security practices. A common denominator, the report adds, is that the “victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services.”
1. Phishing Attacks
The threat actors often used phishing emails with malicious links to steal credentials from the recipient. Some of these emails included a link to what appeared to be a secure message, while others looked like a legitimate file hosting service account login. Once the attackers harvested the credentials, they gained access to the victim’s cloud service account. Then, the attackers sent more phishing emails from the victim’s account to others within the organization. In some instances, the emails contained links to documents appearing to be within the organization’s file hosting service.
2. Port 80 Open
In one instance, the employer did not require a Virtual Private Network (VPN) to access the corporate network. Despite having the terminal server located within their firewall, the firm configured the server with port 80 open for remote employee access. Attackers attempted to exploit this vulnerability through brute force login attempts.
3. Exploit Of Forwarding Rules
In several cases, the CISA noticed attackers taking advantage of email forwarding rules, which users set up to forward work emails to their personal email accounts.
In one case, the threat actors modified a forwarding rule on the victim’s account to redirect emails to an email controlled by the malefactors. Another observation was that attackers changed existing rules to search users’ email messages (subject and body) for several finance-related keywords and then forward those emails to the cybercriminals.
In addition to exploiting existing rules, attackers created new mailbox rules that forwarded specific messages received by the users to their Really Simple Syndication (RSS) Feeds or RSS Subscription Folder in an attempt to prevent victims from seeing warnings.
4. Bypass Of Authentication
In one instance, threat actors successfully bypassed the multi-factor authentication in place on one victim’s account. CISA believes that attackers used browser cookies to defeat MFA through a “pass-the-cookie” attack.
In other instances, CISA credits MFA for thwarting several brute force attempts on different accounts.
Recommendations To Strengthen Cloud Security
The report then contains a lengthy list of recommendations for organizations to strengthen their cloud security practices, notably:
- Enforce multi-factor authentication (MFA).
- Routinely review user-created email forwarding rules and alerts, or restrict forwarding.
- Establish a baseline for regular network activity within your environment.
- Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
- Consider restricting users from forwarding emails to accounts outside of your domain.
- Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how cybercriminals deliver them. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or believe they have been a cyberattack victim. This will ensure that the organization can employ the established mitigation strategy quickly and efficiently.
- Ensure existing built-in filtering and detection products (e.g., enabling those for spam, phishing, malware, and safe attachments and links).
Consider partnering with a reputable managed IT services provider such as Design2Web. By doing this, you can protect your organization from external threats such as hackers from breaching your firm. Contact us today and see how we can strengthen your organization’s security.
Comments are closed.