Skip to content

Illustration by Security Management

CISA Warns of Cloud Service Attacks

The U.S. Cybersecurity and Infrastructure Security Agency issued an alert this week, warning security practitioners of recent cyberattacks against organizations’ cloud services that exploited poor hygiene practices and phishing tactics.

“These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,” CISA said. “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.”

CISA said that threat actors responsible for the attacks used several tactics, including phishing, brute force login attempts, and potentially a “pass-the-cookie” attack. Pass-the-cookie attacks compromise multi-factor authentication (MFA) to allow attackers to make a copy of the cookie a legitimate user has saved on his or her browser to gain access to a system, according to Stealthbits.  

The agency also observed threat actors using phishing emails that attempted to obtain users’ credentials for cloud service accounts.

“The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login,” according to CISA. “After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain initial access to the user’s cloud service account…. The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service.”

These types of attacks are not new, but methods that have been around since the beginning of computers, says Roger Grimes, data-driven defense evangelist at KnowBe4.

“It is important to note that not understanding the weaknesses and potential hacking bypasses of MFA is almost as bad as not using it,” Grimes says. “If you think you’re far less likely to be hacked because of MFA (and that isn’t true), then you are more likely to let your defenses down. But if you understand how MFA can be attacked, and share that with the end users of the MFA and designers of the systems that it relies on, you’re more likely to get a better, less risky outcome.”

To prevent these attacks and mitigate their effects, CISA recommended organizations take a variety of measures to strengthen their cloud security. These included implementing conditional access policies based upon organizational needs; creating a baseline for normal network activity within the organization’s environment; enforcing MFA; following recommended guidance on securing privileged access; and more.

CISA also suggested organizations focus on awareness and training for their staff about new and emerging threats.

“Make employees aware of the threats—such as phishing scams—and how they are delivered,” CISA said. “Additionally, provide users training on information security principles and techniques, as well as overall emerging cybersecurity risks and vulnerabilities.”

Grimes also advocates for raising awareness with employees about emerging threats and MFA.

“MFA doesn’t impart some special, magical defense that no hacker an penetrate,” he says. “Instead, strong security awareness training around any MFA solution is critical, because to do otherwise is to be unprepared and more at risk.”