Stormy Weather: The Downside to Cloud Computing

Cloud computing offers organizations an affordable way to quickly deploy technology solutions and provide access to that technology from virtually anywhere. There is no need to acquire and manage hardware, operating systems, firewalls or other on-prem supporting systems. A cloud environment can be spun up in a matter of clicks. Key office applications like email, file sharing/storage, and collaboration tools have moved to the cloud as well, providing remote access for employees during these pandemic times. All good stuff, except…

Those storm clouds on the horizon are the threats that malicious actors are coming up with to attack and gain access to corporate data and resources. With the pandemic sending employees to work at home, organizations quickly deployed solutions that were not secure, and the bad guys are taking advantage of that.

Having recently worked with numerous clients on breach investigations, I would like to extend some lessons learned on what went wrong and how the events could have been prevented. 

All the events started with a cleverly designed phishing campaign.  

1. The phishing emails are typically designed to entice the user to browse to a remote file or to open a file that has a link to a malicious website.  
2. These sites are designed to trick the user into entering their network login credentials to gain access to the file(s).  
3. Once the users enter their credentials, they were compromised, and an immediate malicious response began.  

Individuals that fell for the phishing emails and had their credentials compromised gave the malicious actors access to their O365 accounts. The malicious actors were able to gain access to the user’s email and SharePoint/OneDrive resources using web or heavy clients. At this point, there were several directions that the attackers could pivot from. They could use the credentials to send internal or external phishing emails using the compromised user accounts. They could download contacts, email contents including attachments, as well as sensitive files stored in SharePoint/OneDrive. They could also set up forwarding rules to external email accounts controlled by the malicious actors.

In most cases, the malicious actors had access for days in the environment without detection. It was not until users started reporting the phishing activity and subsequently noticed that an unusual number of forwarding rules were being created that led to the discovery of the attacks.

So, what went wrong, and how could these attacks have been prevented?

There are several security areas that would have helped prevent these attacks from being successful:

• In some cases, multifactor authentication (MFA) was not used and would have prevented the malicious actors from gaining access to the user accounts, even though they had captured their login credentials.
• In the cases where MFA was in place, the malicious actors could not log in using OAUTH authentication. However, they could still access O365 legacy protocols like POP, NMAP, SMTP, etc., to send emails as the compromised user. As such, legacy Authentication for legacy protocols was not disabled or restricted as recommended by Microsoft.
• Email filtering was not enforced and allowed the initial malicious attachments through the mail systems, allowing users to click on them.
• SIEM logging was typically not utilized but would have been able to capture login activity from known bad IP addresses, flagging malicious activity faster.
• Users were, by default, allowed to set email forwarding rules, which allowed the malicious actors to do the same. This should be denied for all, with exceptions made for those that have a business need for it.
• Initial phishing reports were not fully investigated to reveal the full extent of the malicious activities. Again, SIEM logging would have facilitated the investigations.
• Enhanced user training on identifying phishing activity would help reduce the number of users that would fall for this type of attack.

When working in the cloud, regardless if it is Azure, AWS, or other providers, make sure the appropriate controls are in place to ensure only the intended individuals gain access to it. Understand the security implications of providing access to sensitive corporate information and resources BEFORE you roll out the solutions. Set up appropriate controls that would help detect and notify on malicious activity when it does occur. 

Hopefully, that rainbow on the horizon is from a passing storm, and one that your organization did not have to weather!

If you are interested in how we can help, please reach out to us at connect@compliancepoint.com.