CISA Warns of bypass of Multi-factor Authentication by Cybercriminals to gain access to Organization’s Cloud Services

The US Cybersecurity and Infrastructure Security Agency (CISA), a subsidiary of the Department of Homeland Security, issued a strong warning last week to companies to better protect their cloud-based services after a series of successful isolated hacks from unknown hackers. 

These attacks used a variety of techniques including brute-force login attempts, phishing, and possible ‘pass-the-cookie’ attacks to exploit weaknesses in the cloud security practices of its victim organizations.  CISA believes these ‘pass-the-cookie’ attacks were in the form of attacks on already authenticated session using stolen session cookies to log in to online services or web apps.

In a statement issued on the 13^th of January, CISA stated: “CISA is aware of several recent successful cyberattacks against various organizations’ cloud services,”.

Further stating: “The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a ‘pass-the-cookie’ attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.”

CISA further stated that: “In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,”

Following the attacks, CISA released incident response engagements which contained what they called “recommended mitigations for organizations to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks.” 

The incident response engagements also contained techniques, procedures, as well as indicators of compromise and tactics used by hackers. Measures to be taken by organizations to block future attacks by way of strengthening their cloud security services were also highlighted.  All of which are aimed at helping security teams and admins effectively handle potential future attacks targeting their cloud services.  

References

• https://www.bleepingcomputer.com/news/security/cisa-hackers-bypassed-mfa-to-access-cloud-service-accounts/