Companies today have to contend with cyberattackers who are using increasingly innovative ways to gain illicit access to corporate data. Since early 2017, Skyhigh has been tracking a brute force login attack on multiple enterprise customers. Using a set of corporate user names and passwords, as well as compromised hosted tenants, the attackers launched brute force attacks on high level employees’ Office 365 accounts to gain access to potentially sensitive corporate data.
In its analysis, Skyhigh was able to detect over 100,000 attempts (failed logins) from 67 IPs and 12 networks, targeting 48 customers’ Office 365 accounts. What stood out with this attack was the sophisticated and sneaky approach of the attackers, who did not cast a wide net in trying to rope in as many corporate users as possible, which is typical in brute force attacks.
In this case, the attackers targeted a set of companies and high level employees and launched a “slow and low” attack to avoid getting flagged by the cloud service provider. Another aspect of this attack was that it was cloud to cloud in that attackers leveraged infrastructures of public hosting services, to launch an attack on a SaaS service.
So far, as part of this attack, Skyhigh has not seen any evidence of any successful breaches of user accounts or loss of any corporate data.
Execution and Detection of the Attack
To execute this attack, the perpetrators acquired a set of corporate user names and passwords, which may be tied to multiple cloud services (not necessarily Office 365). Then, using public cloud tenants, they were able to launch brute force attacks on corporate users’ Office 365 accounts.
To accomplish this, they tried different permutations of employee names. For example, Steven Smith (name changed), Chief of Staff, Company A saw login attempts on his account which involved different combinations of his user name such as steven.smith@companyA.com, steve.smith@companyA.com, s.smith@companyA.com. His account saw 17 attempts with 17 username permutations in 4 seconds from 14 IPs.
While Skyhigh does not have access to the passwords in clear text, it is speculated the same password was used because the login attempts targeted each permutation of the user name exactly once.
The attackers counted on 2 points for their attempts to succeed. They guessed that users were reusing the same password across different applications because they attempted to use an arbitrarily acquired password to login to Office 365. Next, they hoped for companies not to have multi-factor authentication (MFA) and Single Sign-On (SSO) activated for apps that stored sensitive data.
The first hint of the attack came when Skyhigh registered an anomaly associated with ‘Compromised Accounts’. Skyhigh’s threat protection engine is programmed to look for multiple variants of brute force attacks, so when the solution detected an abnormal pattern and high correlation between different factors associated with login attempts on user accounts, it registered an anomaly.
As more anomalies showed up across users, the anomaly elevated to a threat. The Skyhigh team performed a cross tenant analysis and detected over 100,000 failed logins, which confirmed a widespread brute force login attack.
While the researchers suspected an attack since the first threat was registered, in order to get confirmation, they ran several analyses over time, given the “slow and low” nature of the attack. Skyhigh, however, has notified the impacted customers and has been working with them to apply the required remediation.
Attacker attempted to Fly Under the Radar
The sophistication of the attackers can be observed in the precautions they took to avoid detection. First, they launched a slow and low brute force attack. While the attack itself staggered over months to bypass any lockout checks implemented by CSPs, there were short spurts of activity where different variations of a single user name were hit by multiple IPs.
One employee, Sherry Wheeler (name changed), who is an Executive Advisor, saw 95 attempts on her Office 365 account in 5 seconds from 13 IPs, where each IP tried different username variations. For instance, IP1 attempted sherry_wheeler and sherry.wheeler, while IP2 tried s_wheeler and s.wheeler, implying it was a distributed and coordinated attack coming from multiple platforms.
Had the 95 attempts on Sherry Wheeler’s account been made from the same IP, either the CSP or the hosting provider would have blacklisted the address. And finally, the attackers did not pick too many employees within a company or even a department. They appear to have selected senior or long term employees, possibly because they are more likely to have access to sensitive data.
Making the Case for Robust Cloud Security Infrastructure
This brute force attack could have been thwarted to a large extent if companies would have enabled multi-factor authentication. But even if they had enabled it, hackers sometimes exploit another vulnerability within the SSO infrastructure.
When a legitimate user name is entered, it directs the user to a federated gateway even if the password is not correct. But a wrong user name has a different response. This allows hackers to differentiate between a legitimate and an incorrect user name, opening doors to a phishing campaign by targeting users with familiar email addresses.
The broader point is that it is extremely challenging for a company to get all its security protocols and configurations right, and even then it is vulnerable to a number of unintended or malicious activities by employees leading to security compromises.
By putting in place a robust cloud security infrastructure, such as a Cloud Access Security Broker (CASB), companies can gain awareness of their cloud usage and substantially mitigate the risk of a security incident. In the case of this brute force login attack, a CASB provides a number of capabilities to detect and alert the security teams so they can implement remedial measures.
- Cloud-to-cloud controls: Given this attack was cloud native, a CASB is uniquely positioned to detect it as it connects to cloud services via APIs to extract and analyze all activity data, including off-network activity and access from unmanaged devices. It is unlikely that traditional inline security controls such as firewalls and proxies would have been able to detect this attack
- Threat protection: CASBs provide advanced threat detection capabilities that can detect even sophisticated attacks by analyzing activity data using machine learning algorithms to identify abnormal behaviors and access patterns. This can be critical, as attackers are getting increasingly innovative in exploiting even seemingly minor vulnerabilities to breach corporate systems.
- Coverage of IaaS services: As attacks increasingly involve IaaS platforms, CASBs are deployed by enterprises to build an additional layer of security around these platforms as well as on custom (e.g. home-built) apps built on them. For example, a CASB solution can perform a configuration audit on AWS and detect if a company has not turned on multi-factor authentication or CloudTrail, two settings which if misconfigured, can leave companies open to attacks. CASBs also extend existing security controls such as activity monitoring and DLP to custom apps.
- Visibility into shadow cloud services: The average company uses 1,427 cloud services and less than 10% of these services are sanctioned by IT. Many of the shadow cloud services used by employees are usually not protected by controls such as SSO or MFA, but contain sensitive data that can fall into the hands of attackers who attempt to gain access by compromising their credentials. The chances of these attempts succeeding go up significantly as users often tend to reuse passwords across different applications.
As attackers increase their attacks on enterprise SaaS and IaaS deployments, CASBs offer a new line of defense, allowing companies to adopt and benefit from using cloud services, but also protect their corporate assets and maintain compliance.