Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2019
01:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Threat Actors Use Credential Dumps, Phishing, Legacy Email Protocols to Bypass MFA and Breach Cloud Accounts Worldwide

MARCH 14, 2019 - PROOFPOINT INFORMATION PROTECTION RESEARCH TEAM

In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Moreover, sophisticated phishing campaigns tricked recipients into revealing authentication credentials, providing attackers with additional avenues into corporate accounts.  

Proofpoint analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that: 

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary aim is often to launch internal phishing, especially if the initial target does not have the access needed to move money or data. Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC, which are much harder to detect than external phishing attempts. Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.    

Attack origins 

Most attacker logins originate from Nigerian IP addresses. These accounted for 40% of all successful malicious efforts, followed by logins from Chinese IP addresses, accounting for 26% of successful breaches.  Other major sources of successful attacks included the United States, Brazil, and South Africa.

Between November 2018 and January 2019, successful brute force and phishing-related attacks involving Nigerian IP addresses increased by 65%. While these attacks did not all necessarily involve Nigerian actors, recent arrests and activity are consistent with widespread cybercrime in the region. 

Brute force Attacks on Cloud Apps Get Targeted and Intelligent  

In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). By design, these attacks avoid account lock-out and look like isolated failed logins, so they go unnoticed. 

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019.  These attacks especially target high-value users such as executives and their administrative assistants. 

  • On average, attackers targeted 10% of active user-accounts in targeted tenants 
  • 1% of targeted user-accounts were successfully breached by attackers  

Attackers utilized thousands of hijacked network devices around the world -- primarily vulnerable routers and servers -- as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period. 

Most IMAP-based attacks originated in China, representing 53% of all successful malicious efforts, followed by attacks from Brazilian IP addresses (39%), and US infrastructure (31%).  Note that attacks often originated from multiple geographies and, as is often the case, it is important not to assume a consistent, direct correlation between the origin of attacks and the nationality of the threat actors carrying them out.

Organizations across various industries and countries around the world are affected, but both K-12 and higher education sectors appear to be the most vulnerable to these high-volume brute force attacks. 70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks. Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.  

Phishing gives rise to lateral movement and hybrid attacks 

In contrast to attacks leveraging breached data, these attacks begin with email phishing campaigns. Threat actors then use the stolen credentials to infiltrate users’ cloud application accounts. Our researchers found that over 31% of all cloud tenants were subject to breaches originating from successful phishing campaigns.  

Most of these attacks originated from Nigerian IP addresses, representing 63% of all successful malicious efforts, followed by South African infrastructure (21%), and the United States via VPNs (11%). Attackers sometimes used anonymization services, such as VPNs or Tor nodes to bypass conditional access and geolocation-based authentication. These attacks may also make use of the IMAP protocol, forming a hybrid attack.

After threat actors compromise cloud accounts, they send internal phishing from these “trusted” accounts to move laterally inside the organization and impact additional users.  Attackers often modify email forwarding rules or set email delegations to maintain access and sometimes launch man-in-the-middle attacks. They also leverage breached accounts to phish users in other organizations, causing cross-tenant contamination. 

Although organizations of all sectors were targeted by attackers, as with password-spraying attacks the education sector is also the most vulnerable to phishing-related attacks. 15% of successful attacks affect educational institutions’ users, especially university and high school students.  

Other targeted industries include retail, finance, and technology. In certain cases, attackers target corporations’ payroll systems to reroute employee paychecks and access financial documents. Consistently, title-holders such as sales representatives, general managers, commercial franchisees, project managers, and account executives are targeted and are highly susceptible to phishing-related breaches. 

Conclusion 

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable. Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations. Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.