The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday said it discovered several recent successful cyberattacks against the cloud services of multiple organizations, offering guidance on how security teams can bolster associated security.
CISA said in its report that threat actors have used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a so-called “pass-the-cookie” attack that bypassed multifactor authentication to exploit cloud security weaknesses.
The agency does not explicitly tie these activities to any one threat group, nor are they specifically associated with the advanced persistent threat actor attributed to the SolarWinds attack.
Many of the cloud-based attacks took place while employees at the victim organizations worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, CISA said affected organizations typically had weak cyber hygiene practices that let the threat actors conduct successful attacks.
Paul Bischoff, privacy advocate at Comparitech, said that MFA can prevent attackers from logging into an unauthorized account, but that does little good if the attacker appears to already have logged in from the start, which is how a pass-the-cookie attack bypasses MFA altogether.
Bischoff detailed how it works:
After a successful, legitimate login on a typical web app, a cookie gets created and placed on the user's device. When the user visits the site again in the future, they can bypass the login process because the user has this cookie. If an attacker manages to steal the cookie, they can place it in their own browser, bypass the MFA login process, and masquerade as a legitimate user.
Organizations need to set strict policies dictating when session cookies are cleared," Bischoff recommended. "Authentication monitoring and behavior-based threat detection can help as well.”
Tim Wade, technical director of the CTO Team at Vectra, said managing IT hygiene and improving awareness against phishing are themes that are continually hammered when discussing how to prevent cyberattacks, but it’s critically important to acknowledge that there’s no perfect remedy.
“Perfection in both these cases is a ‘fool’s errand’ and so CISA’s recommendation for a robust detection and response capability is spot on,” Wade said. “Whether against known IT hygiene-related weaknesses, unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding their name in a headline story on cyberattacks.”
CISA posted a long list of recommends for organizations looking to bolster cloud security, here are some of the highlights: