Cyber criminals bypassing MFA to access cloud service accounts

Pass-the-cookie attacks help sidestep organizational security

Smartphone and tablet displaying two-factor authentication screens

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations that hackers are bypassing multi-factor authentication (MFA) protocols to breach cloud service accounts. 

In a report, the CISA said it was aware of several recent successful cyber attacks against various organizations’ cloud services. Hackers used “phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”

"The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a 'pass-the-cookie' attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices,” said the report’s authors.

While brute force attacks using username and password combinations often fail because an organization had MFA enabled, CISA said in one incident, hackers successfully signed into a user’s account, despite MFA being enabled. In this case, CISA believed the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack. Such attacks hijack an authenticated session using stolen cookies to access web applications or online services.

In another attack, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.

“In one case, CISA determined that the threat actors modified an existing email rule on a user’s account—originally set by the user to forward emails sent from a certain sender to a personal account—to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts,” said the report.

CISA also observed hackers creating new mailbox rules that forwarded certain messages received by the users—specifically, messages with certain phishing-related keywords—to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to prevent warnings from being seen by the legitimate users.

CISA added that these attacks were “not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.”

Eyal Wachsman, co-founder & CEO at BAS provider Cymulate, told ITPro that user authentication and credentials had become the new enterprise security perimeter. With many employees working remotely and accessing cloud services, they have become a lucrative target for attacks. 

“Pass-the-Cookie attacks require a successful breach of the end user's workstation, and whether they are a personal device or an organization’s, assets have become a headache to secure for CISOs. They are challenged to enforce patching on these workstations and detection systems are blindsided with partial visibility leaving them extremely vulnerable. Added to the mix are well crafted Spear Phishing attacks that introduce malware or steal credentials through social engineering,” Wachsman said.

Related Resource

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Wachsman added that to prevent these attacks, companies must increase phishing awareness. Employees should also log out from cloud services when they’re not using them, and companies should set the services to automatically kill inactive sessions, even for short periods.

“Becoming aware of your security posture is critical to discover and fix the weaknesses they find,” he said.

Niamh Muldoon, global data protection officer at OneLogin, told ITPro that security culture and maintaining security consciousness with your entire organization and end users is critical for identifying and responding to security threats, and following security processes. 

“Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorization and assurance principles,” Muldoon said.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Russian spy agencies warn of US cyber retaliation
hacking

Russian spy agencies warn of US cyber retaliation

25 Jan 2021
Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Pixlr data breach exposes over 1.9 million user records
data breaches

Pixlr data breach exposes over 1.9 million user records

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021