CISA has recently alerted organizations to the fact that cybercriminals are taking advantage of vulnerable cloud environments due to the lack of proper cyber hygiene. This warning is especially pertinent as many businesses have moved to a remote workforce during the pandemic. Consequently, CISA is urging organizations to ensure they have implemented the necessary security measures to protect their cloud environments.
The SolarWinds Orion supply chain attack is believed to have employed some of the tactics outlined in the report, however, no specific threat group has been identified as the culprit. Furthermore, multiple threat actors are taking advantage of these tactics to gain access to cloud environments and acquire sensitive data. The alert details that these actors are using a variety of approaches, such as attempting to guess weak passwords via brute force attacks, deploying phishing attacks, and exploiting unpatched vulnerabilities or weaknesses in cloud security practices. Phishing is a commonly used method of obtaining credentials in order to gain remote access to cloud resources and applications. These phishing emails usually include links to malicious websites where user information can be collected without multi-factor authentication. The emails may seem secure and link to what looks like a legitimate file hosting account. Once the email account is infiltrated, the attackers will send similar emails to other employees within the company, usually linking to a document on the organization’s file hosting service.
Brute force and phishing tactics are two other popular methods used to steal login credentials. Despite the use of multi-factor authentication, CISA identified a pass-the-cookie attack that bypassed this security measure. In this type of attack, a stolen cookie is used to access online services or web apps after authentication. Unfortunately, many organizations have experienced successful attacks due to poor cyber hygiene practices, even when security solutions have been put in place. Since remote employees are now accessing cloud resources from home on both personal and company-provided devices, organizations must ensure they are taking the necessary steps to protect their assets.
CISA has provided instructions for improving cyber hygiene and enhancing cloud security configurations to ward off attacks against cloud services. These steps involve establishing conditional access, frequently examining Active Directory sign-in logs and unified audit logs for any suspicious behavior, mandating multi-factor authentication for all users, periodically checking email forwarding regulations, following best practices for privileged access security, resolving client site requests that are internal to the network, and adopting a zero-trust mindset. Finally, CISA has included guidelines to help enterprises make their M365 environments more secure.