In a new alert, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration.
Cloud security experts weighed-in on this latest development and what companies can do to stay protected.
Stefano De Blasi, Threat Researcher at Digital Shadows:
The cyberattacks detailed by the Cybersecurity and Infrastructure Security Agency (CISA) highlight, once again, how phishing attacks remain highly successful despite being one of the most known threats in the security landscape. These attacks use social engineering techniques to lure users into clicking on malicious links, inadvertently disclosing credentials and personally identifiable information (PII).
This threat is even more pressing when organizations are not following standard cyber hygiene practices. Applying preventive measures can be a time-consuming task for organizations worried about business continuity but can go a long way in minimizing their attack surface. For example, as many organizations are transitioning to cloud hosting services, using a Virtual Private Network (VPN) is fundamental to ensure that remote workers can securely access corporate networks.
Successfully preventing phishing attacks requires a two-fold approach given the hybrid nature of this threat. From a defensive point of view, security teams can update all systems with the latest security patches, have anti-virus software properly installed, and use a web filter that blocks malicious websites. Additionally, as phishing attacks exploit human behavior, it is fundamental to provide employees with frequent and consistent training that includes critically evaluating links and attachments, and how to report suspicious emails.
Tim Wade, Technical Director, CTO Team at Vectra:
“Managing IT hygiene and improving awareness against phishing continue to be themes that are hammered when discussing successful cyberattacks, but it’s critically important to acknowledge that perfection in both these cases is a fools errands and so CISA’s recommendation for a robust detection and response capability is spot on. Whether against known IT hygiene related weaknesses, or unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding their name in a headline story on cyberattacks.
A few observations:
Despite CISA recommendations to enable Multi-factor authentication (MFA) on all users, without exception, MFA bypass was observed to be part of this attack. It is important for organizations to recognize the importance of MFA, even as they realize it is not a silver bullet.
The malicious use of electronic discovery (eDiscovery) continues to be highlighted as a technique employed by threat actors, and organizations must ensure they’re prepared to identify when eDiscovery tools are abused.
Mail-forwarding, as simple as it sounds, continues to evade security teams as an exfiltration and collection method.
On a practical level, the guidance to baseline an organization’s traditional IT and cloud networks is infeasible in practice without the use of AI and Machine Learning techniques.
Most importantly, while preventative approaches may be necessary to raise the effort an adversary must exert to successfully attack an organization, a key take away of the last quarter must be that prevention will fail, and overreliance on prevention is a loser’s strategy. Unless and until organizations can successfully identify and disrupt attacks in real time, as an industry we will continue to see successfully executed attacks.”
Brendan O’Connor, CEO and Co-Founder at AppOmni:
“Phishing users for their passwords has been a problem for decades. The best way to address that problem has been, and remains, ensuring 2 step authentication is enabled comprehensively and consistently. The more dangerous, and stealthy, threat is when attackers find data that has been unintentionally exposed to the world. You don’t need to steal a user’s password if a misconfiguration or exposed API grants the entire Internet access to your sensitive data. Compromising a user through phishing may grant an attacker access to some, or all, of that users data. But misconfiguring a cloud service or exposing a privileged API may grant the outside world access to ALL of the data in the system. It's the difference between stealing a hotel room key, or finding that all of the locks on all of the rooms aren’t working.
Over the course of hundreds of risk assessments, AppOmni sees in more than 95% of cases that external users have access to sensitive data which should be restricted internally. In more than half of all assessments we perform, we find critically sensitive data exposed to the anonymous Internet without any need for a password at all.”