Cyber criminals bypassing MFA to access cloud service accounts

Pass-the-cookie attacks help sidestep organizational security

Smartphone and tablet displaying two-factor authentication screens

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that hackers are bypassing multi-factor authentication (MFA) protocols to breach cloud service accounts. 

In a report, the CISA said it was aware of several recent successful cyber attacks against various organizations’ cloud services. Hackers used “phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”

"The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices,” said the report’s authors.

While brute force attacks using username and password combinations often fail because an organization had MFA enabled, CISA said in one incident, hackers successfully signed into a user’s account, despite MFA being enabled. In this case, CISA believed the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack. Such attacks hijack an authenticated session using stolen cookies to access web applications or online services.

In another attack, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.

“In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts,” said the report.

CISA also observed hackers creating new mailbox rules that forwarded certain messages received by the users—specifically, messages with certain phishing-related keywords—to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to prevent warnings from being seen by the legitimate users.

CISA added that these attacks were “not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.”

Eyal Wachsman, co-founder & CEO at BAS provider Cymulate, told ITPro that user authentication and credentials had become the new enterprise security perimeter. With many employees working remotely and accessing cloud services, they have become a lucrative target for attacks. 

“Pass-the-Cookie attacks require a successful breach of the end user's workstation, and whether they are a personal device or an organization’s, assets have become a headache to secure for CISOs. They are challenged to enforce patching on these workstations and detection systems are blindsided with partial visibility leaving them extremely vulnerable. Added to the mix are well crafted Spear Phishing attacks that introduce malware or steal credentials through social engineering,” Wachsman said.

Wachsman added that to prevent these attacks, companies must increase phishing awareness. Employees should also log out from cloud services when they’re not using them, and companies should set the services to automatically kill inactive sessions, even for short periods.

“Becoming aware of your security posture is critical to discover and fix the weaknesses they find,” he said.

Niamh Muldoon, global data protection officer at OneLogin, told ITPro that security culture and maintaining security consciousness with your entire organization and end users is critical for identifying and responding to security threats, and following security processes. 

“Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorization and assurance principles,” Muldoon said.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
MirrorBlast phishing campaign targets financial companies
phishing

MirrorBlast phishing campaign targets financial companies

15 Oct 2021
Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021