McAfee MVISION Cloud has detected an ingenious new botnet attack against Office 365 accounts, dubbed ‘KnockKnock’ because attackers are attempting to knock on backdoor system accounts to infiltrate entire O365 environments. One of the key distinctions of this new attack is the nature of the accounts that are being targeted. KnockKnock was designed to primarily attack system accounts that are not assigned to any one individual user, making them particularly vulnerable, as we’ll describe later.
First, it should be noted that KnockKnock is not a brute force attack for two reasons. First, it targets a very small proportion (typically <2%) of the O365 account base. Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses.
KnockKnock has been operational since May 2017 and is currently active. The attack is launched using a relatively small network of 83 confirmed IPs distributed across 63 networks. The smaller size of the botnet is likely designed to keep the attacker low key (i.e. the attack focuses on a handful of users at a time, before moving on to the next set).
In an attempt to further obfuscate the attack, enterprises are targeted in a staggered manner. When the attacks against one enterprise seem to be ramping up, they are slowing down for a different enterprise. While a majority of the activity stems from IPs registered to service providers in China, there is activity originating out of 15 other countries including Russia, Brazil, US, Argentina, Gabon, Azerbaijan, Malaysia.
What makes KnockKnock so Ingenious?
The attack is particularly clever in that it distinctively and slowly targets system accounts. The system accounts that Skyhigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.
The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. And, most importantly, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. These two aspects help reveal the motivation behind KnockKnock, (i.e. attack a weak-link with the potential for elevated exploits).
Anatomy of the Attack
Once KnockKnock gains access to an enterprise system account, the attack is designed to exfiltrate any data in the inbox and then create a new inbox rule intended to hide and divert incoming messages. The attack will then typically attempt to initiate a phishing attack, and propagate infection across the enterprise using this controlled inbox. Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organization they have infiltrated for a larger takeover over time.
How Skyhigh detected KnockKnock
Based on Skyhigh’s Lightning Link integration to Office365 that provides real-time and high-fidelity activity monitoring of all activities including login attempts, soon after KnockKnock became operational, Skyhigh’s Threat Lab detected a pattern of Anomalous Access Locations (AAL) across multiple customers, Skyhigh’s ML automatically that takes into account behavioral patterns for the user, activity, and access-points to pinpoint anomalies played a key part in reducing the time to respond to this threat. As the number of these anomalous accesses increased, Skyhigh’s threat funnel correlated multiple of these access attempt anomalies into threats. By leveraging the network effect of analyzing billions of O365 events across hundreds of Skyhigh’s O365 customers, Skyhigh is uniquely capable of detecting attacks across multiple enterprises with high fidelity and much quicker than traditional approaches.
Why CASB is Critical in Detecting and Remediating These Attacks
This attack focused on attempting to exploit the vulnerability of system accounts, which are not usually protected by SSO or MFA. Further, system account activity is often not scrutinized for malicious behavior at the same level as user or admin accounts. Employing a CASB to monitor activity and perform UEBA across all O365 accounts is instrumental in detecting and remediating this type attack before it can cause substantive damage, and uses following techniques:
- Anomalous usage detection – When attackers attempt to compromise the system accounts, Skyhigh is able to flag an ‘Access Login Attempt’ anomaly, as it detects activity that deviated from dynamic access pattern models. Skyhigh detects account compromise attempts based on unfamiliar and untrusted access points, consecutive login attempts from locations that imply impossible travel, and brute-force login attempts. And Skyhigh can analyze these access attempts across multiple cloud services.
- Comprehensive threat analysis – Skyhigh detects threats such as KnockKnock by building a trust profile for employees based on their activity, locations, usage, and other parameters, and then identifying a departure from expected usage patterns. This requires a solution that not only analyzes an individual’s usage data, but also sources collective intelligence across all enterprise usage data in order to define baseline patterns and calibrate the algorithms on an ongoing basis.
- Prevention of new and sophisticated attacks – This attack comes on the heels of another sophisticated cybersecurity attack Skyhigh detected less than 3 months ago. Attackers continue to come up with innovative ways to exploit vulnerabilities and gain access to sensitive corporate data. To minimize the risk of breach, companies need to deploy a solution that is monitoring and protecting their cloud usage across multiple dimensions including services, users, and devices.
As attackers increase their attacks on enterprise SaaS and IaaS deployments, CASBs offer a new line of defense, allowing companies to adopt and benefit from cloud, while protecting their most valuable asset – data.