Cyber criminals bypassing MFA to access cloud service accounts
Pass-the-cookie attacks help sidestep organizational security
In a report, the CISA said it was aware of several recent successful cyber attacks against various organizations’ cloud services. Hackers used “phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”
"The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices,” said the report’s authors.
While brute force attacks using username and password combinations often fail because an organization had MFA enabled, CISA said in one incident, hackers successfully signed into a user’s account, despite MFA being enabled. In this case, CISA believed the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack. Such attacks hijack an authenticated session using stolen cookies to access web applications or online services.
In another attack, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.
“In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts,” said the report.
CISA also observed hackers creating new mailbox rules that forwarded certain messages received by the users—specifically, messages with certain phishing-related keywords—to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to prevent warnings from being seen by the legitimate users.
CISA added that these attacks were “not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.”
Eyal Wachsman, co-founder & CEO at BAS provider Cymulate, told ITPro that user authentication and credentials had become the new enterprise security perimeter. With many employees working remotely and accessing cloud services, they have become a lucrative target for attacks.
“Pass-the-Cookie attacks require a successful breach of the end user's workstation, and whether they are a personal device or an organization’s, assets have become a headache to secure for CISOs. They are challenged to enforce patching on these workstations and detection systems are blindsided with partial visibility leaving them extremely vulnerable. Added to the mix are well crafted Spear Phishing attacks that introduce malware or steal credentials through social engineering,” Wachsman said.
Wachsman added that to prevent these attacks, companies must increase phishing awareness. Employees should also log out from cloud services when they’re not using them, and companies should set the services to automatically kill inactive sessions, even for short periods.
“Becoming aware of your security posture is critical to discover and fix the weaknesses they find,” he said.
Niamh Muldoon, global data protection officer at OneLogin, told ITPro that security culture and maintaining security consciousness with your entire organization and end users is critical for identifying and responding to security threats, and following security processes.
“Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorization and assurance principles,” Muldoon said.