In an advisory issued on Wednesday, CISA (Cybersecurity and Infrastructure Security Agency) revealed that hackers have been employing successful phishing campaigns, brute force login attempts, and potentially pass-the-cookie attacks to exploit weaknesses in cloud security practices. In a pass-the-cookie attack, hackers steal cookies from a user’s browsing session so they can then access a certain site as the victim.
Based on CISA’s analysis, these kinds of attacks often occur when an organization’s employees work remotely and use a combination of corporate machines and personal devices to sign into different cloud services. Though the organizations and users may be protected by proper security, otherwise weak cyber hygiene habits pave the way for hackers to pull off successful cyberattacks. In the observed phishing campaigns, attackers deployed emails with malicious links to try to capture login credentials for cloud service accounts. The emails appeared to be from a legitimate file hosting service, while the links seemed to point to secure messages, all in an attempt to trick the user. The attackers were then able to use the compromised accounts to send phishing emails to other employees within the targeted organization
Weak cyber hygiene habits leave organizations more vulnerable to attack. In one instance, an organization failed to require a VPN to access its network. Though the terminal server was located inside the firewall, it was configured with port 80 open to allow for remote connections from employees. As a result, the hacker was able to exploit this flaw by launching brute force attacks. In several other cases, remote workers set up email forwarding rules to automatically forward work emails to their personal accounts. By exploiting these rules, attackers were able to steal sensitive information. In one specific instance, the attackers found an existing rule that forwarded work emails to the receiver’s personal account and modified it to redirect the emails to their own account.
What to do?
- Implement conditional access (CA) policies based on your organization’s needs.
- Establish a baseline for normal network activity within your environment.
- Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
- Enforce multi-factor authentication.
- Routinely review user-created email forwarding rules and alerts or restrict forwarding. Consider restricting users from forwarding emails to accounts outside of your domain.
- Focus on awareness and training. Make employees aware of the threats, such as phishing scams, and how they are delivered.
- Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.
- Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
- Have a mitigation plan or procedures in place. Understand when, how, and why to reset passwords and to revoke session tokens.
- Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
Further, organizations that use Microsoft 365 should consider the following steps:
- Assign a few trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire Microsoft 365 environment for evidence of malicious activity.
- Disable PowerShell remoting to Exchange Online for regular Microsoft 365 users to lower the risk of a compromised account being used to access tenant configurations for reconnaissance.
- Do not allow an unlimited amount of unsuccessful login attempts. Look into password smart lockout configuration and sign-in activity reports.
- To investigate and audit intrusions and potential breaches, consider tools such as Sparrow or Hawk, which are open-source PowerShell-based tools used to gather information related to Microsoft 365.