Hackers accessed cloud services using phishing, 'pass-the-cookie' attacks, CISA says

Dive Brief:

Bad actors have successfully compromised the cloud services of companies using various attack methods, including phishing, brute-force login attempts and potentially a "pass-the-cookie" attack, according to an alert from the Cybersecurity & Infrastructure Security Agency (CISA) on Wednesday. The activity is unrelated to the ongoing SolarWinds hack.
In one case, threat actors accessed a user's account "with proper multi-factor authentication (MFA)," which CISA believes stemmed from the hackers using browser cookies to "defeat MFA."
In other incidents, CISA found threat actors using phishing schemes sent more malicious emails to others in the organization after compromising an initial account. In "several engagements," the agency said hackers relied on email forwarding rules, which users already had established.

Dive Insight:

The agency said "weak cyber hygiene" was a primary conduit for the successful cyberattacks. Having a remote workforce hasn't helped.

In 2019, 65% of companies in the U.S. had to deal with a successful phishing attack, according to a 2020 Proofpoint survey. Nearly 60% of organizations said they lost data and about 50% said they had credentials compromised, as a result of the hack.

After targets of phishing schemes unknowingly give the hackers their credentials, the hackers gain access to their cloud services account. At this point, CISA "observed the actors' logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location)."

In one case, CISA observed one organization where VPN use wasn't required. The organization's terminal server sat behind its firewall, but remote work forced configuring the terminal server "with port 80 open to allow remote employees to access it," according to CISA. The organization was on the receiving end of a brute force attack.

For companies with open Remote Desktop Protocol (RDP) ports, the agency recommends placing the ports behind a firewall with required VPN use.

Phishing schemes broke records in 2020, yet still only half of U.S. workers know what phishing campaigns are and half assume their IT team will be automatically notified if malware is installed on their device, according to Proofpoint.

This year, some companies halted simulated phishing attempts as employees adjusted to their newfound work environment at home. By summer, security organizations were revisiting the security training tactic — and some companies were somewhat tone deaf.

In September, Tribune Publishing Company sent employees a test phishing email, consisting of $5,000 to $10,000 bonuses, after a year of layoffs and reduced pay amid the pandemic. Employees wildly failed the test, prompting the publishing house to issue an apology.

GoDaddy issued an apology in December for a similar phishing attempt that felt "insensitive" to the some odd 500 employees who received it. The company said the "test mimicked real attempts in play today," but "we need to do better and be more sensitive to our employees."

CISA recommends companies implement conditional access policies and regularly audit Active Directory sign-in logs and unified audit logs for detecting suspicious activity. Though MFA was bypassed in at least one of the incidents, the agency encourages companies to enforce and implement the authentication method "without exception" for all employees.