tl;dr: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of a string of successful phishing attacks exploiting weak cyber hygiene in remote work environments to access companies’ cloud services via employees’ corporate laptops and personal devices.*
According to the report, “the cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. … A variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.”
What does "pass-the-cookie" mean?
“Pass-the-cookie” is a tactic in which an attacker uses a phishing email to gain a target’s credentials and log into a system using them. The website they log into sets a ‘session token’ in the form of a cookie in the web browser, which confirms the user is successfully authenticated. Then, the attacker starts lateral movement attempts in the victim’s organization, sending the previously captured session cookie to the new target systems by injecting the cookie into HTML requests. If authentication cookies are shared across systems, there is a risk that the other system will accept the cookie and authenticate the attacker as if they were the original victim. As a result, the attacker has access to the new system with all the privileges of the victim.
Once the hackers had access an employee’s account, they were able to:
- Send other phishing emails to contacts in the employee’s network.
- Modify existing forwarding rules so that emails that would normally automatically be forwarded to personal accounts were instead forwarded directly to the hacker’s inbox.
- Create new mailbox rules to have emails containing specific keywords (i.e. finance-related terms) forwarded to the hacker’s account.
This type of malicious activity targeting remote workers isn’t new. Henry Trevelyan Thomas, Tessian’s VP of Customer Success has seen many instances this year. “The shift to remote work has resulted in people needing more flexibility, and personal accounts provide that—for example, access to home printers or working from a partner’s computer. Personal accounts are easier to compromise as they almost always have less security controls, are outside organizations’ secure environments, and your guard is down when logging on to your personal account. Attackers have realized this and are seeing it as a soft underbelly and entry point into a full corporate account takeover.”
Learn more about Account Takeover (ATO), and take a look at some real-life examples of phishing attacks we spotted last year.
CISA recommends the following steps for organizations to strengthen their cloud security practices:
- Establish a baseline for normal network activity within your environment
- Implement MFA for all users, without exception
- Routinely review user-created email forwarding rules and alerts, or restrict forwarding
- Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens
- Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.
- Consider restricting users from forwarding emails to accounts outside of your domain
- Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
For more practical advice on how to avoid falling for a phishing scam, download Tessian’s guide to Remote Work and Cybersecurity.
What Tessian’s Experts Say
“Many organizations associate advanced attacks with BEC and wire fraud. However we're continuing to see sophisticated threat actors build websites that impersonate cloud services (e.g. email providers, file sharing services, etc) and simply send a benign looking link to targets. The sophistication here is in the impersonation and psychology behind getting an employee to do what you want them to do, in this case, clicking the link and entering their credentials.”
“Home networks are typically protected only by the routers provided by their MSP and many of these have a history of weaknesses. In addition, these home routers often have remote management APIs that could allow a malicious user at the ISP to gain access to a given home network. The solution here is for companies to treat remote home networks as untrusted (in the same way as we do for users working from an airport or a coffee shop) and require remote workers to use a VPN for any work-related tasks. This has the benefit that the VPN client is usually only on the work laptop - restricting users from using home systems for work.”
Free resources to help keep your employees and organization secure.
*Note: the activity and information in this Analysis Report is not explicitly tied to any one threat actor or known to be specifically associated with the advanced persistent threat actor attributed with the compromise of SolarWinds Orion Platform software and other recent activity.