Some vulnerabilities are buried deep in code. Other times a vulnerability is right under the noses of infosec pros.
One example is the opening made available by so called system accounts, often automated email accounts set up in Microsoft Exchange to integrate with corporate email systems, like administrative accounts, marketing automation and sales automation software.
These accounts don’t necessarily have a end user behind them. As a result, they aren’t protected with the same password rules that admins have for other accounts.
The discovery of the attack vector was made by Skyhigh Networks, a cloud access security broker (CASB), which earlier this month publicized its finding.
”In early May our machine learning algorithm started spitting out some anomalous activity,” Sekhar Sakurrai, the company’s chief scientist, said in an interview, including failed login attempts on customers’ Office system accounts. These were traced back to a set of internet addresses which Skyhigh says is a botnet assembled from compromised devices in 16 countries, which the company dubs “KnockKnock.”
“These are typically used for automation – for example Salesforce — with an inbox with Exchange for email,” Sakurrai said. Typically when initiating there’s a one-time message to create a system account. Some may have escalated privileges. “Because these are core to the business process but are created once, typically they are created without multifactor authentication and then fogotten. They are very good candidates for a hacker because the passwords aren’t changed often and a lot of the good governance policies like ensuring good password practices don’t take these into account.”
If an attacker can access the account they will siphon anything from the inbox, set up forwarding rules to relay any messages to the attacker. Then a phishing campaign will start for further enterprise penetration.
“This is the first time we’ve seen a pervasive attack on system accounts focused on Office 365, or any other cloud service,” Sakurrai said.
He warns that infosec pros need to root out these accounts and monitor them for changes in password rules. Admins need to treat these accounts as if they were owned by people and ensure all governance polities around password validation and reset apply to then,
Applying multifactor authentication will help. Microsoft Active Director allows MFA to be applied on system accounts.