A US cybersecurity agency is urging organizations to improve their cyber-hygiene after warning of multiple successful attacks targeting cloud services used by remote workers.
The Cybersecurity and Infrastructure Security Agency (CISA) revealed in a report yesterday that attackers are increasingly targeting corporate and personal laptops with phishing, brute force login attempts and possibly a “pass-the-cookie” attack to access cloud accounts.
Although these attacks were not tied back to a single threat actor, they shared many of the same tactics.
Some attackers spoofed file hosting services and other legitimate vendors in phishing emails to harvest log-ins, before using these hijacked accounts to phish others in the organization.
In some attacks, account hijackers modified forwarding and keyword search rules. This is often done by BEC attackers looking to monitor email conversations with suppliers, and to hide phishing warnings.
In one example, a VPN server was configured with port 80 open for remote worker access, so cyber-criminals targeted it with brute force log-in attempts.
Although multi-factor authentication (MFA) thwarted some attempts to brute force accounts, in one case threat actors are believed to have used browser cookies to defeat MFA with a “pass-the-cookie” attack.
CISA was at pains to point out that none of this activity is related to the recent SolarWinds supply chain attack believed to have been carried out by sophisticated Russian state actors.
However, these attacks have certainly become widespread enough to warrant intervention by the agency.
It offered a long list of recommendations for organizations to improve their cyber-hygiene and strengthen cloud security practices.
Alongside conditional access (CA) policies, MFA, restrictions on email forwarding, user training, secure privileged access and zero trust, CISA argued that remote employees should not use personal devices for work. At the very least, mobile device management tools should be used to mitigate risk, it said.