The cloud has been a boon for federal agencies throughout the coronavirus pandemic, enabling them to work on classified information remotely and collaborate effectively in hybrid work environments.
However, cloud tools are also sources for cyberattacks, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is warning that they are being exploited. In an alert issued Jan. 13, CISA warns that “threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.”
CISA notes that the report is “not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.”
However, the report was issued five days after CISA issued a separate alert warning that the threat actors associated with the SolarWinds attack, who are likely Russian in origin, had used “compromised applications in a victim’s Microsoft 365 (M365)/Azure environment.”
The Jan. 13 CISA alert notes that the attacks on cloud-based services frequently occurred when users were working remotely and using “a mixture of corporate laptops and personal devices to access their respective cloud services.” Even though the affected organizations had security tools in place, they also “typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.”
CISA offered a breakdown of how the attacks are occurring and what agencies and other organizations can do to mitigate the threats.
REGISTER: Sign up for free to hear cybersecurity expert Theresa Payton discuss today’s pressing IT security challenges.
How Malicious Actors Are Targeting Cloud Services
CISA identified six ways that the cyberthreat actors were attacking cloud services. The first was through “phishing emails with malicious links to harvest credentials for users’ cloud service accounts.” The agency says it observed that the malicious actors’ logins originated from foreign locations, but notes that they could have been using a proxy or Tor server to hide their true location.
In one case, an organization did not require a VPN to get access to the enterprise network. “Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it — leaving the organization’s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts,” CISA states.
Another attack technique involved “collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts.” Yet another modified email rules “to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts.”
A fourth technique “modified existing rules to search users’ email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors’ account.”
The attackers also “created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’” RSS feeds to prevent warnings from being seen by legitimate users.
A sixth technique involved threat actors successfully logging in to one user’s account “with proper multi-factor authentication,” which could have occurred after the threat “used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack.”
How to Guard Against Cloud Service Attacks
CISA offers 21 different recommendations for enhancing cloud security controls. They include putting in place conditional access policies based on the organization’s needs, routinely reviewing both Active Directory sign-in logs and unified audit logs for anomalous activity, enforcing multifactor authentication, and regularly checking user-created email forwarding rules and alerts or restricting forwarding.
Other cloud security best practices CISA recommends include following guidance on securing privileged access, considering barring personal devices from work environments or using a trusted mobile device management solution and allowing users to consent to application integrations that have only been preapproved by administrators.
Other best practices include verifying that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol ports. Organizations should “place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.”
Agencies and other organizations should also focus on awareness and training, especially regarding phishing scams, and “establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.”
DIVE DEEPER: How can agencies leverage cybersecurity automation?
