CISA Warns of Surge in Attacks Targeting Cloud ServicesAgency's Mitigation Advice Includes Log Reviews, Multifactor Authentication
The U.S. Cybersecurity and Infrastructure Security Agency warns that hackers are increasingly targeting a variety of cloud services by waging phishing schemes and brute-force attacks.
CISA reports in an alert issued Wednesday that attacks targeting cloud services have steadily increased since many organizations switched to a largely remote workforce as a result of the COVID-19 pandemic, with employees using a mix of corporate-owned and personal devices to access these services. Attackers are taking advantage of lax security practices, such as weak passwords and workers accessing data from unsecured laptops.
"Despite the use of security tools, affected organizations typically had weak cyber hygiene practices in place that allowed threat actors to conduct successful attacks," the CISA alert notes.
The report, which does not name organizations or cloud services that have been targeted, says these incidents have not been tied to one specific threat actor, including the group that targeted SolarWinds' Orion network monitoring tool.
CISA, one of several federal agencies investigating the SolarWinds supply chain hack, noted on Jan. 8 that its investigators found that hackers who targeted the company may have used password guess and password spraying techniques to gain additional administrative privileges. This would have allowed the hackers to forge authentication tokens and then gain access to additional cloud resources and environments (see: Kaspersky: SolarWinds Backdoor Similar to Russian 'Kazuar').
The CISA alert follows a December report from the U.S. National Security Agency that found hackers were using two techniques to target cloud resources: abusing compromised authentication tokens and compromising system administration accounts in the Microsoft Azure platform (see: NSA Warns of Hacking Tactics That Target Cloud Resources).
This week’s CISA alert notes that some hackers are using phishing emails to steal credentials from employees so they can compromise cloud resources. In many cases, the malicious messages appear to originate from overseas IP addresses and domains, but attackers can easily route the traffic through a proxy server or Tor-based network to hide its origins, CISA says.
Hackers also are using brute-force attacks to guess weak passwords.
"In one case, an organization did not require a virtual private network for accessing the corporate network," the CISA alert notes. "Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it - leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts."
In some cases, attackers are bypassing multifactor authentication protections by compromising browser cookies to collect one-time passwords and other data, CISA adds.
After gaining an initial foothold in the network, some of the hackers attempted to change settings within victims' email inboxes that would forward messages to the attackers or hide certain emails from security tools. The FBI previously warned that business email compromise gangs frequently attempt to change auto-forwarding rules in compromised accounts to gather intelligence and trick users into sending money to bank accounts that they control (see: FBI: BEC Scams Are Using Email Auto-Forwarding).
Risk Mitigation Tips
To mitigate the risks of attacks targeting cloud services, CISA recommends that organizations:
- Review Active Directory sign-in logs and unified audit logs for anomalous activity;
- Enforce multifactor authentication;
- Review user-created email forwarding rules and alerts or restrict forwarding;
- Determine when, how and why to reset passwords and to revoke session tokens;
- Resolve client site requests internal to the network;
- Consider restricting users from forwarding emails to accounts outside of the organization's domain.
But some security experts say immediate disruption of attacks must also be a priority.
"While preventive approaches may be necessary to raise the effort an adversary must exert to successfully attack an organization, a key takeaway of the last quarter must be that prevention will fail, and over-reliance on prevention is a loser's strategy," says Tim Wade, a former network and security technical manager with the U.S. Air Force who is now a technical director at the security firm Vectra AI. "Unless and until organizations can successfully identify and disrupt attacks in real time … we will continue to see successfully executed attacks."