CISA warns of recent successful cyberattacks against cloud service accounts

The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services.

The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.

According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.

CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.

“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.

The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.

Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).

Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.

At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.

Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.

“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.

The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.

Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.

CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

[adrotate banner=”5″]

[adrotate banner=”13″]