The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday said it discovered several recent successful cyberattacks against the cloud services of multiple organizations, offering guidance on how security teams can bolster associated security.
CISA said in its report that threat actors have used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a so-called “pass-the-cookie” attack that bypassed multifactor authentication to exploit cloud security weaknesses.
The agency does not explicitly tie these activities to any one threat group, nor are they specifically associated with the advanced persistent threat actor attributed to the SolarWinds attack.
Many of the cloud-based attacks took place while employees at the victim organizations worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, CISA said affected organizations typically had weak cyber hygiene practices that let the threat actors conduct successful attacks.
Paul Bischoff, privacy advocate at Comparitech, said that MFA can prevent attackers from logging into an unauthorized account, but that does little good if the attacker appears to already have logged in from the start, which is how a pass-the-cookie attack bypasses MFA altogether.
Bischoff detailed how it works:
After a successful, legitimate login on a typical web app, a cookie gets created and placed on the user's device. When the user visits the site again in the future, they can bypass the login process because the user has this cookie. If an attacker manages to steal the cookie, they can place it in their own browser, bypass the MFA login process, and masquerade as a legitimate user.
Organizations need to set strict policies dictating when session cookies are cleared," Bischoff recommended. "Authentication monitoring and behavior-based threat detection can help as well.”
Tim Wade, technical director of the CTO Team at Vectra, said managing IT hygiene and improving awareness against phishing are themes that are continually hammered when discussing how to prevent cyberattacks, but it’s critically important to acknowledge that there’s no perfect remedy.
“Perfection in both these cases is a ‘fool’s errand’ and so CISA’s recommendation for a robust detection and response capability is spot on,” Wade said. “Whether against known IT hygiene-related weaknesses, unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding their name in a headline story on cyberattacks.”
CISA posted a long list of recommends for organizations looking to bolster cloud security, here are some of the highlights:
- Implement conditional access (CA) policies based upon your organization's needs.
- Establish a baseline for normal network activity within your environment.
- Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.
- Enforce MFA.
- Routinely review user-created email forwarding rules and alerts, or restrict forwarding.
- Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens.
- Follow recommend guidance on securing privileged access.
- Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
- Consider restricting users from forwarding emails to accounts outside of your domain.
- Ensure user access logging is enabled. Forward logs to a security information and event management appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods.
- Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
- Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.