Cloud

3/14/2019
01:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Threat Actors Use Credential Dumps, Phishing, Legacy Email Protocols to Bypass MFA and Breach Cloud Accounts Worldwide

MARCH 14, 2019 - PROOFPOINT INFORMATION PROTECTION RESEARCH TEAM

In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Moreover, sophisticated phishing campaigns tricked recipients into revealing authentication credentials, providing attackers with additional avenues into corporate accounts.  

Proofpoint analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that: 

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary aim is often to launch internal phishing, especially if the initial target does not have the access needed to move money or data. Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC, which are much harder to detect than external phishing attempts. Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.    

Attack origins 

Most attacker logins originate from Nigerian IP addresses. These accounted for 40% of all successful malicious efforts, followed by logins from Chinese IP addresses, accounting for 26% of successful breaches.  Other major sources of successful attacks included the United States, Brazil, and South Africa.

Between November 2018 and January 2019, successful brute force and phishing-related attacks involving Nigerian IP addresses increased by 65%. While these attacks did not all necessarily involve Nigerian actors, recent arrests and activity are consistent with widespread cybercrime in the region. 

Brute force Attacks on Cloud Apps Get Targeted and Intelligent  

In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). By design, these attacks avoid account lock-out and look like isolated failed logins, so they go unnoticed. 

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019.  These attacks especially target high-value users such as executives and their administrative assistants. 

  • On average, attackers targeted 10% of active user-accounts in targeted tenants 
  • 1% of targeted user-accounts were successfully breached by attackers  

Attackers utilized thousands of hijacked network devices around the world -- primarily vulnerable routers and servers -- as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period. 

Most IMAP-based attacks originated in China, representing 53% of all successful malicious efforts, followed by attacks from Brazilian IP addresses (39%), and US infrastructure (31%).  Note that attacks often originated from multiple geographies and, as is often the case, it is important not to assume a consistent, direct correlation between the origin of attacks and the nationality of the threat actors carrying them out.

Organizations across various industries and countries around the world are affected, but both K-12 and higher education sectors appear to be the most vulnerable to these high-volume brute force attacks. 70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks. Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.  

Phishing gives rise to lateral movement and hybrid attacks 

In contrast to attacks leveraging breached data, these attacks begin with email phishing campaigns. Threat actors then use the stolen credentials to infiltrate users’ cloud application accounts. Our researchers found that over 31% of all cloud tenants were subject to breaches originating from successful phishing campaigns.  

Most of these attacks originated from Nigerian IP addresses, representing 63% of all successful malicious efforts, followed by South African infrastructure (21%), and the United States via VPNs (11%). Attackers sometimes used anonymization services, such as VPNs or Tor nodes to bypass conditional access and geolocation-based authentication. These attacks may also make use of the IMAP protocol, forming a hybrid attack.

After threat actors compromise cloud accounts, they send internal phishing from these “trusted” accounts to move laterally inside the organization and impact additional users.  Attackers often modify email forwarding rules or set email delegations to maintain access and sometimes launch man-in-the-middle attacks. They also leverage breached accounts to phish users in other organizations, causing cross-tenant contamination. 

Although organizations of all sectors were targeted by attackers, as with password-spraying attacks the education sector is also the most vulnerable to phishing-related attacks. 15% of successful attacks affect educational institutions’ users, especially university and high school students.  

Other targeted industries include retail, finance, and technology. In certain cases, attackers target corporations’ payroll systems to reroute employee paychecks and access financial documents. Consistently, title-holders such as sales representatives, general managers, commercial franchisees, project managers, and account executives are targeted and are highly susceptible to phishing-related breaches. 

Conclusion 

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable. Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations. Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.