Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2019
01:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Threat Actors Use Credential Dumps, Phishing, Legacy Email Protocols to Bypass MFA and Breach Cloud Accounts Worldwide

MARCH 14, 2019 - PROOFPOINT INFORMATION PROTECTION RESEARCH TEAM

In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Moreover, sophisticated phishing campaigns tricked recipients into revealing authentication credentials, providing attackers with additional avenues into corporate accounts.  

Proofpoint analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that: 

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary aim is often to launch internal phishing, especially if the initial target does not have the access needed to move money or data. Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC, which are much harder to detect than external phishing attempts. Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.    

Attack origins 

Most attacker logins originate from Nigerian IP addresses. These accounted for 40% of all successful malicious efforts, followed by logins from Chinese IP addresses, accounting for 26% of successful breaches.  Other major sources of successful attacks included the United States, Brazil, and South Africa.

Between November 2018 and January 2019, successful brute force and phishing-related attacks involving Nigerian IP addresses increased by 65%. While these attacks did not all necessarily involve Nigerian actors, recent arrests and activity are consistent with widespread cybercrime in the region. 

Brute force Attacks on Cloud Apps Get Targeted and Intelligent  

In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). By design, these attacks avoid account lock-out and look like isolated failed logins, so they go unnoticed. 

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019.  These attacks especially target high-value users such as executives and their administrative assistants. 

  • On average, attackers targeted 10% of active user-accounts in targeted tenants 
  • 1% of targeted user-accounts were successfully breached by attackers  

Attackers utilized thousands of hijacked network devices around the world -- primarily vulnerable routers and servers -- as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period. 

Most IMAP-based attacks originated in China, representing 53% of all successful malicious efforts, followed by attacks from Brazilian IP addresses (39%), and US infrastructure (31%).  Note that attacks often originated from multiple geographies and, as is often the case, it is important not to assume a consistent, direct correlation between the origin of attacks and the nationality of the threat actors carrying them out.

Organizations across various industries and countries around the world are affected, but both K-12 and higher education sectors appear to be the most vulnerable to these high-volume brute force attacks. 70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks. Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.  

Phishing gives rise to lateral movement and hybrid attacks 

In contrast to attacks leveraging breached data, these attacks begin with email phishing campaigns. Threat actors then use the stolen credentials to infiltrate users’ cloud application accounts. Our researchers found that over 31% of all cloud tenants were subject to breaches originating from successful phishing campaigns.  

Most of these attacks originated from Nigerian IP addresses, representing 63% of all successful malicious efforts, followed by South African infrastructure (21%), and the United States via VPNs (11%). Attackers sometimes used anonymization services, such as VPNs or Tor nodes to bypass conditional access and geolocation-based authentication. These attacks may also make use of the IMAP protocol, forming a hybrid attack.

After threat actors compromise cloud accounts, they send internal phishing from these “trusted” accounts to move laterally inside the organization and impact additional users.  Attackers often modify email forwarding rules or set email delegations to maintain access and sometimes launch man-in-the-middle attacks. They also leverage breached accounts to phish users in other organizations, causing cross-tenant contamination. 

Although organizations of all sectors were targeted by attackers, as with password-spraying attacks the education sector is also the most vulnerable to phishing-related attacks. 15% of successful attacks affect educational institutions’ users, especially university and high school students.  

Other targeted industries include retail, finance, and technology. In certain cases, attackers target corporations’ payroll systems to reroute employee paychecks and access financial documents. Consistently, title-holders such as sales representatives, general managers, commercial franchisees, project managers, and account executives are targeted and are highly susceptible to phishing-related breaches. 

Conclusion 

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable. Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations. Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9308
PUBLISHED: 2020-02-20
archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
CVE-2019-20479
PUBLISHED: 2020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...