CISA Warns Organizations About Attacks on Cloud Services
In light of successful cyberattacks targeting organizations’ cloud services, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a series of recommendations on how businesses can improve their cloud security.
The attacks observed by CISA exploit poor cyber hygiene practices within cloud services configurations, and the agency says the activity is not tied to a specific threat actor or the recent SolarWinds attack. Thus, the recommended mitigations apply to all organizations looking to ensure their cloud services are better protected from cyberattacks.
CISA notes that the recommendations are based on CISA incident response engagements and that the observed attacks frequently involved telework that leveraged a mixture of corporate laptops and personal devices for access to cloud services.
“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA notes.
To exploit weaknesses in the victim organization’s cloud services, the threat actors used techniques such as phishing and brute force attempts. One incident, however, possibly involved a “pass-the-cookie” attack (in which a stolen session cookie is used to access otherwise restricted resources).
Phishing emails were used to trick victims into sharing their login credentials, and then abuse these to access cloud service accounts and phish for additional credentials. Brute force attempts targeted a terminal server at an organization that opened port 80 for remote access rather than using a VPN.
Email forwarding rules were also abused for the collection of sensitive information, as well as modified rules to search for finance-related keywords within the victims’ email messages. In one case, although the compromised account had proper multi-factor authentication (MFA) enabled, the attackers apparently used a “pass-the-cookie” attack for initial access.
“Cookies establish session persistence for web applications. When you are authenticated with a web application, MFA or not, the cookie is placed on your computer. The cookie contains the session ID and access tokens to the web application. This is so you don’t have to reauthenticate incessantly to the web application. This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state,” Christian Espinosa, Managing Director at Cerberus Sentinel, explains.
“The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Specially, cookies should be set with a short lifespan. […] The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though,” Espinosa continues.
To mitigate cyberattacks targeting their cloud services, organizations are advised to implement conditional access (CA) policies, establish a baseline for normal network activity, review logs, enforce MFA, review user-created email forwarding rules and alerts, establish a mitigation plan, secure privileged access, prohibit personal devices at work (unless necessary), audit email rules, ensure users consent only to app integrations that have been pre-approved, and adopt a zero-trust mindset.
Organizations should also ensure that user access logging is enabled, that legacy authentication protocols are blocked, that Remote Desktop Protocol (RDP) ports are closed on cloud-based virtual machines with public IPs, that employees are trained on how to identify threats and report them, and that detection solutions are up-to-date.
For organizations that use Microsoft 365, only a few (one to three) trusted users should be set as electronic discovery (or eDiscovery) managers, PowerShell remoting to Exchange Online should be disabled for regular M365 users, and only a limited number of unsuccessful login attempts should be allowed, to prevent brute-forcing.