Experts maintain that organizations that mandate multifactor authentication as an extra step to protect logins greatly improves their defences. However, it’s not fail-proof.
The latest example is this week’s warning from the U.S. government’s cyber expert that successful hacks have been reported on cloud services, including one that got around MFA, possibly by stealing browser cookies.
The report from the Cybersecurity and Infrastructure Security Agency (CISA) also makes it clear that firms thinking cloud services alone improve security are wrong: “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” the report says.
“Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”
One thing many cloud attacks have in common, the report adds, is that victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access the cloud services.
Threat actors often use phishing emails with malicious links to harvest credentials for users’ cloud service accounts. Some included a link to what appeared to be a secure message, while others looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain to the user’s cloud service account. The attackers then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within the organization’s file hosting service.
Port 80 open
In one case, the report says an organization didn’t require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it—leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts.
Abuse of email forwarding
In several cases, threat actors collected sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.
In one case the attackers modified an existing email rule on a user’s account — originally set by the user to forward emails sent from a certain sender to a personal account — to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts. Attackers sometimes modified existing rules to search users’ email messages (subject and body) for several finance-related keywords and then and forward the emails to the hackers.
In other cases the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.
CISA verified that in one case a threat actor successfully signed into one user’s account with proper multi-factor authentication (MFA). CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack.
On the other hand the agency admits MFA did thwart attempted brute force attacks on some accounts.
The report “is a rude awakening that attackers are seeing personal email accounts as the soft underbelly to corporate environments and are starting to use “pass-the-cookie” techniques to successfully bypass multi-factor authentication,” said Ed Bishop, CTO of security firm Tessian. “While phishing is a persistent threat to company security, the risk posed by people sending emails to personal accounts is often overlooked, and it’s a risk that’s been heightened as people work remotely.”He added that personal accounts are easier to compromise because they are typically only protected by home routers often have remote management APId. Companies should only allow access to corporate cloud infrastructure from known IP addresses, ideally via a corporate VPN endpoint with separate strong authentication or MFA in place.
In addition, businesses must treat remote home networks as untrusted, in the same way they do for airports or coffee shops, and require remote workers to use a VPN for any work-related task. Lastly, it’s important that companies monitor when new forwarding rules are created, and in some cases even disable auto-forwarding rules altogether.
Christian Espinosa, managing director at Cerberus Sentinel, noted that pass-the-cookie attacks aren’t new.
Cookies establish session persistence for web applications, he said in an email, and are placed on a computer whether MFA is used or not. The cookie contains the session ID and access tokens to the web application to avoid constant re-authentication. “This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state.”
He said the way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Cookies should be set with a short lifespan and for a single session, so when the browser is closed, the cookie is made void. Users should be trained to logoff the web application and close their browser after they are done using the web application. Many users never logoff or close a browser, he noted, which increases risk.
The CISA report includes a long list of recommendations for better security cloud applications. For those using Microsoft Office 365, it specifically recommends:
- Assigning a few (one to three) trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.
- Disabling PowerShell remoting to Exchange Online for regular users. Disabling for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.
- Don’t allow an unlimited amount of unsuccessful login attempts.
- And consider using a tool such as Sparrow or Hawk, which are open-source PowerShell-based tools used to gather information related to Office 365, to investigate and audit intrusions and potential breaches.