Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*
According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.”
"Pass-the-cookie" is a tactic in which an attacker uses a phishing email to gain a target's credentials and log into a system using them. The website they log into sets a 'session token' in the form of a cookie in the web browser, which confirms the user is successfully authenticated. Then, the attacker starts lateral movement attempts in the victim's organization, sending the previously captured session cookie to the new target systems by injecting the cookie into HTML requests. If authentication cookies are shared across systems, there is a risk that the other system will accept the cookie and authenticate the attacker as if they were the original victim. As a result, the attacker has access to the new system with all the privileges of the victim.
This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.”
For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.