Cyber criminals bypassing MFA to access cloud service accounts

Pass-the-cookie attacks help sidestep organizational security

Smartphone and tablet displaying two-factor authentication screens

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that hackers are bypassing multi-factor authentication (MFA) protocols to breach cloud service accounts. 

In a report, the CISA said it was aware of several recent successful cyber attacks against various organizations’ cloud services. Hackers used “phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”

"The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices,” said the report’s authors.

While brute force attacks using username and password combinations often fail because an organization had MFA enabled, CISA said in one incident, hackers successfully signed into a user’s account, despite MFA being enabled. In this case, CISA believed the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack. Such attacks hijack an authenticated session using stolen cookies to access web applications or online services.

In another attack, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.

“In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts,” said the report.

CISA also observed hackers creating new mailbox rules that forwarded certain messages received by the users—specifically, messages with certain phishing-related keywords—to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to prevent warnings from being seen by the legitimate users.

CISA added that these attacks were “not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.”

Eyal Wachsman, co-founder & CEO at BAS provider Cymulate, told ITPro that user authentication and credentials had become the new enterprise security perimeter. With many employees working remotely and accessing cloud services, they have become a lucrative target for attacks. 

“Pass-the-Cookie attacks require a successful breach of the end user's workstation, and whether they are a personal device or an organization’s, assets have become a headache to secure for CISOs. They are challenged to enforce patching on these workstations and detection systems are blindsided with partial visibility leaving them extremely vulnerable. Added to the mix are well crafted Spear Phishing attacks that introduce malware or steal credentials through social engineering,” Wachsman said.

Wachsman added that to prevent these attacks, companies must increase phishing awareness. Employees should also log out from cloud services when they’re not using them, and companies should set the services to automatically kill inactive sessions, even for short periods.

“Becoming aware of your security posture is critical to discover and fix the weaknesses they find,” he said.

Niamh Muldoon, global data protection officer at OneLogin, told ITPro that security culture and maintaining security consciousness with your entire organization and end users is critical for identifying and responding to security threats, and following security processes. 

“Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorization and assurance principles,” Muldoon said.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021