The American CISA has warned they have detected ongoing attacks against several organisations cloud services.
The alert from CISA states that:
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.
The report advises that brute force login attempts, phishing emails and pass-the-cookie attacks are all being used in order to exploit the victim’s cloud environments.
Once access has been achieved, the attackers set up email routing rules to divert or duplicate email traffic and creating keyword search rules to help them identify interesting messages.
What is a pass-the-cookie attack?
When you login to Office365 and similar cloud services, there is often an option to ‘stay signed in’ which then employs a cookie stored in the cache of the local web browser to re-authenticate with the cloud servers as needed. The cookie acts as an authentication token, like an NTLM hash or Kerberos ticket in an Active Directory domain. The two key facts to remember are:
- The authentication cookie is generated AFTER any multi-factor authentication has taken place
- The cookie is accepted by the server as proof of authentication without the need to know or provide a username or password
In a lockdown world with many people working from home, potentially using personal rather than business owned and secured devices, the risk to cloud services is elevated.
The authentication cookie is stored in the cache of the users local web browser so for an attacker to be able to use it, they need to have previously installed malware on the target PC e.g. through a phishing attack.
However, assuming malware has been installed onto the user’s PC, the cloud service’s authentication cookie can be extracted from the local browser cache, sent to the attacker who can then inject it into their own browser session and use it to access the cloud services even if multi-factor authentication is enabled.
The CISA alert concludes with a comprehensive list of recommendations to help businesses secure their cloud services.