Phishing remains cloud intrusion tactic of choice for threat groups

Dive Brief:

Phishing is the leading initial-access vector for attacks in cloud environments, IBM X-Force said Tuesday in its latest Cloud Threat Landscape Report. IBM’s latest findings are in line with a collection of other recent research from incident response firms and cybersecurity vendors about the prevalence and impact of phishing.
The mode of attack, which threat groups use to harvest credentials for systems and network access, accounted for one-third of all cloud-related incidents IBM X-Force responded to during the two-year period ending in June.
Threat groups most often use phishing emails to trick recipients into entering login information on malicious sites for adversary-in-the-middle attacks, IBM X-Fource found. AITM phishing is a more sophisticated form of a phishing attack that can bypass some forms of multifactor authentication, the report found.

Dive Insight:

The long-lasting effectiveness and success of phishing campaigns underscores the most central challenge in cybersecurity — people are the weakest link and credentials are the root of the problem.

An entire industry is built around training professionals to think twice before clicking a link in a text message or email that directs them to a login page asking for credentials. Yet, year after year, phishing remains the king of compromise.

Ultimately, organizations are responsible for defending their systems against attacks.

Valid credentials were the initial-access vector for 28% of all cloud-related incidents during the two-year period. Exploited vulnerabilities in public-facing applications were the third-most common initial access vector, turning up in 22% of all cloud intrusions, IBM X-Force said.

The top actions on objective, the avenues threat groups take to accomplish their goals, further illustrates the problem. X-Force said 2 in 5 incident response engagements over the past two years involved the abuse of cloud-hosted Active Directory servers to conduct business email compromise attacks, making it the top action on objective.

When attackers employ AITM phishing attacks to bypass MFA they put a proxy server between the target and legitimate service to collect credentials and tokens that victim’s generate after authenticating the session on a malicious page, X-Force researchers said.

Once this level of access is granted, threat groups can do whatever they want within that compromised application. Oftentimes, this results in downstream compromises when cloud resources share the same enterprise credentials, the report found.

While cybersecurity professionals and authorities resoundingly agree MFA in any form is better than single-factor authentication, the relentless wave of attacks in MFA-equipped environments shows the extent to which MFA defenses can crumble.

Phishing-resistant MFA aims to strengthen enterprise defenses against phishing attacks by limiting or removing user interaction. These advanced modes of authentication come in many forms relying on cryptographic techniques, such as private and public keys, the Web Authentication API specifications, biometrics or the FIDO2 standard.