Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2019
01:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Threat Actors Use Credential Dumps, Phishing, Legacy Email Protocols to Bypass MFA and Breach Cloud Accounts Worldwide

MARCH 14, 2019 - PROOFPOINT INFORMATION PROTECTION RESEARCH TEAM

In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Moreover, sophisticated phishing campaigns tricked recipients into revealing authentication credentials, providing attackers with additional avenues into corporate accounts.  

Proofpoint analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that: 

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary aim is often to launch internal phishing, especially if the initial target does not have the access needed to move money or data. Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC, which are much harder to detect than external phishing attempts. Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns.    

Attack origins 

Most attacker logins originate from Nigerian IP addresses. These accounted for 40% of all successful malicious efforts, followed by logins from Chinese IP addresses, accounting for 26% of successful breaches.  Other major sources of successful attacks included the United States, Brazil, and South Africa.

Between November 2018 and January 2019, successful brute force and phishing-related attacks involving Nigerian IP addresses increased by 65%. While these attacks did not all necessarily involve Nigerian actors, recent arrests and activity are consistent with widespread cybercrime in the region. 

Brute force Attacks on Cloud Apps Get Targeted and Intelligent  

In our study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). By design, these attacks avoid account lock-out and look like isolated failed logins, so they go unnoticed. 

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

IMAP-based password-spraying campaigns were particularly effective, appearing in high volumes between September 2018 and February 2019.  These attacks especially target high-value users such as executives and their administrative assistants. 

  • On average, attackers targeted 10% of active user-accounts in targeted tenants 
  • 1% of targeted user-accounts were successfully breached by attackers  

Attackers utilized thousands of hijacked network devices around the world -- primarily vulnerable routers and servers -- as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period. 

Most IMAP-based attacks originated in China, representing 53% of all successful malicious efforts, followed by attacks from Brazilian IP addresses (39%), and US infrastructure (31%).  Note that attacks often originated from multiple geographies and, as is often the case, it is important not to assume a consistent, direct correlation between the origin of attacks and the nationality of the threat actors carrying them out.

Organizations across various industries and countries around the world are affected, but both K-12 and higher education sectors appear to be the most vulnerable to these high-volume brute force attacks. 70% of all educational institutions’ tenants experienced breaches that originated from IMAP-based brute force attacks. Over 13% of successful attacks were aimed at educational institutions, with attackers taking advantage of susceptible students and seeking access to valuable data, such as scientific research. More frequently, though, attackers simply use these easily-compromised, hijacked accounts to launch spam campaigns, meaning that the impact of attacks on this industry extend far beyond educational institutions.  

Phishing gives rise to lateral movement and hybrid attacks 

In contrast to attacks leveraging breached data, these attacks begin with email phishing campaigns. Threat actors then use the stolen credentials to infiltrate users’ cloud application accounts. Our researchers found that over 31% of all cloud tenants were subject to breaches originating from successful phishing campaigns.  

Most of these attacks originated from Nigerian IP addresses, representing 63% of all successful malicious efforts, followed by South African infrastructure (21%), and the United States via VPNs (11%). Attackers sometimes used anonymization services, such as VPNs or Tor nodes to bypass conditional access and geolocation-based authentication. These attacks may also make use of the IMAP protocol, forming a hybrid attack.

After threat actors compromise cloud accounts, they send internal phishing from these “trusted” accounts to move laterally inside the organization and impact additional users.  Attackers often modify email forwarding rules or set email delegations to maintain access and sometimes launch man-in-the-middle attacks. They also leverage breached accounts to phish users in other organizations, causing cross-tenant contamination. 

Although organizations of all sectors were targeted by attackers, as with password-spraying attacks the education sector is also the most vulnerable to phishing-related attacks. 15% of successful attacks affect educational institutions’ users, especially university and high school students.  

Other targeted industries include retail, finance, and technology. In certain cases, attackers target corporations’ payroll systems to reroute employee paychecks and access financial documents. Consistently, title-holders such as sales representatives, general managers, commercial franchisees, project managers, and account executives are targeted and are highly susceptible to phishing-related breaches. 

Conclusion 

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable. Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations. Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...