Tuesday, June 28, 2022

Warning issued for password control over system accounts

Some vulnerabilities are buried deep in code. Other times a vulnerability is right under the noses of infosec pros.

One example is the opening made available by so called system accounts, often automated email accounts set up in Microsoft Exchange to integrate with corporate email systems, like administrative accounts, marketing automation and sales automation software.

These accounts don’t necessarily have a end user behind them. As a result, they aren’t protected with the same password rules that admins have for other accounts.

The discovery of the attack vector was made by Skyhigh Networks, a cloud access security broker (CASB), which earlier this month publicized its finding.

”In early May our machine learning algorithm started spitting out some anomalous activity,” Sekhar Sakurrai, the company’s chief scientist, said in an interview, including failed login attempts on customers’ Office system accounts. These were traced back to a set of internet addresses which Skyhigh says is a botnet assembled from compromised devices in 16 countries, which the company dubs “KnockKnock.”

“These are typically used for automation – for example Salesforce — with an inbox with Exchange for email,” Sakurrai said. Typically when initiating there’s a one-time message to create a system account. Some may have escalated privileges. “Because these are core to the business process but are created once, typically they are created without multifactor authentication and then fogotten. They are very good candidates for a hacker because the passwords aren’t changed often and a lot of the good governance policies like ensuring good password practices don’t take these into account.”

If an attacker can access the account they will siphon anything from the inbox, set up forwarding rules to relay any messages to the attacker. Then a phishing campaign will start for further enterprise penetration.

“This is the first time we’ve seen a pervasive attack on system accounts focused on Office 365, or any other cloud service,” Sakurrai said.

He warns that infosec pros need to root out these accounts and monitor them for changes in password rules. Admins need to treat these accounts as if they were owned by people and ensure all governance polities around password validation and reset apply to then,

Applying multifactor authentication will help. Microsoft Active Director allows MFA to be applied on system accounts.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.