According to CISA, it has verified one of the users had their account breached even though they were using “proper multi-factor authentication (MFA).”
Last year, it was reported that threat actors have been using legitimate tools to compromise Cloud-based assets. Now, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to alert remote workers using cloud accounts about a possible security breach.
According to CISA, cybercriminals have identified a way to bypass multi-factor authentication (MFA) and are now targeting cloud service accounts.
Hackers Bypassed MFA
On Wednesday, the US cybersecurity agency revealed in an official statement that there had been multiple ‘successful cyberattacks against various organizations’ cloud services. CISA stated that attackers target personal and corporate laptops with brute force and phishing attacks as well as a “pass-the-cookie” attack for gaining access to cloud accounts.
Versatile Tactics Used to Hijack Cloud Accounts
According to CISA, the latest surge in cyberattacks against cloud services aren’t the work of a single threat actor or group. But the agency has identified several common tactics used in this campaign. For instance, attackers use spoofed versions of file hosting services or other legitimate vendors to obtain login information and hijacking cloud accounts to phish other users in the organization.
“The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access [TA0001] to the user’s cloud service account,” the agency wrote.
On the other hand, the agency noted that some attackers are modifying forwarding and keyword search rules. This is mostly done by BEC attackers who need to monitor email communications with suppliers and hide phishing warnings.
In one of the samples, a VPN server was configured with port 80 open and was targeted with brute force login attempts. They have bypassed MFA in many attacks; in one case, the attackers used browser cookies and pass-the-cookie attacks to bypass MFA.
No Link with SolarWinds Supply Chain Attack
CISA pointed out that this campaign is unrelated to the SolarWinds supply chain attack, which is suspected to be the work of Russian state-sponsored cybercriminals. However, the agency did observe that the logins used by the threat actors originated from foreign locations, but it is possible that they are using the Onion Router or a proxy server to hide their location.
Given the number of attacks launched against cloud services, the agency was compelled to alert remote workers. CISA recommends that users strengthen conditional access policies, MFA, email forwarding limitations, restricting privileged access, and user training to improve cloud security practices.
Furthermore, remote employees should avoid using personal devices for work or use mobile device management tools to mitigate the threat.