CISA: Poor Cyber Hygiene Exploited to Compromise Cloud Security Services

January 14, 2021 - Threat actors are successfully exploiting organizations with poor cyber hygiene to compromise cloud security services, according to a new Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert.

CISA is aware of multiple, recent cyberattacks against a range of enterprise cloud services. Hackers are leveraging various tactics and techniques, such as phishing attacks and brute force login attempts, in an effort to exploit weaknesses in cloud security practices.

It’s also possible the threat actors are using “pass-the-cookie” attacks to exploit weaknesses. These attacks are typically launched within the Active Directory domain. 

When an entity employs multi-factor authentication on top of web applications, the user is prompted to provide further proof of their identity, such as push notifications on their mobile device. Once a user successfully passes the authentication tests, they’re given access and the browser creates a cookie that is stored for the user’s session.

In a pass-the-cookie attack, the malicious actor extracts the right browser cookies needed for authentication and gains access as another user in a separate browser on another system -- bypassing MFA in the process.

READ MORE: Ransomware Groups Team Up, as Hackers Shift into Cloud Operations

For one victim, CISA found a hacker successfully signed into an account with proper MFA by leveraging this technique.

Overall, the successful attacks observed by CISA frequently involved victim organizations with remote workforce members that used a combination of corporate laptops and personal devices when accessing respective cloud resources.

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA researchers explained.

For the phishing attacks related to these campaigns, hackers are embedding malicious links into the emails that are designed to harvest credentials for the user’s cloud service accounts. The links appear to be secure messages, or those that look like legitimate file hosting service account logins.

Once the user provides their login credentials, the hackers use them to gain initial access to the user’s cloud service account. CISA noted that the actors appear to originate from foreign locations, “although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location.”

READ MORE: OCR Updates HIPAA Resource for mHealth Apps, Cloud Computing

“The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service,” researchers explained.

“In one case, an organization did not require a virtual private network (VPN) for accessing the corporate network,” they added. “Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable.”

As such, the hacker attempted to exploit that massive flaw using brute force login attempts.

CISA has also observed hackers gathering sensitive information from victims by exploiting email forwarding rules, set up by users to forward work emails to personal accounts. By modifying an existing email rule, these hackers then redirected the emails to an account controlled by the actors.

Then, they updated the rule to forward all of the victim’s emails to threat actor accounts. In similar attacks, the actors were observed modifying existing rules to search users’ email messages for finance-related keywords. The emails were then forwarded to hacker-controlled accounts.

READ MORE: Cloud Mitigation for Ransomware, as COVID-19 Spurs Cyberattacks

The hackers are employing similar tactics to existing user email rules, including the mailbox.

In response, enterprise organizations are being asked to review the technical details and indicators of compromise outlined in newly released CISA guidance. CISA researchers analyzed data from several of these successful attacks to created the detailed report, designed to support entities in their defense and response efforts.

The analysis report, Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services, is designed to provide administrators with the necessary tools to detect and respond to attacks on cloud elements.

Administrators can also find recommended mitigation strategies for strengthening their cloud environment configurations, which will support protection, detection,and response to potential attacks.

The CISA recommendations include implementing conditional access policies, establishing a baseline for normal enterprise network activities, and routinely reviewing both Active Directory sign-in logs and unified audit logs for anomalous activity.

The insights also reiterate the importance of employing MFA across all applicable endpoints.

“Focus on awareness and training,” CISA researchers wrote. “Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.”

“Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack,” they added. “This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.”

In light of several reports that show healthcare remains a prime hacking target and a rapid increase in attacks on healthcare web applications, entities should review these CISA insights to secure their cloud and remote environments.

Previous insights from 4iQ and CTERA, the Office for Civil Rights, and Trend Micro can also help healthcare entities shore up cloud risks against ransomware hacking risks.