The US Cybersecurity and Infrastructure Security Agency announced that they are aware of several successful cyberattacks against various organizations’ cloud services. According to the announcement, the attackers are using phishing and brute force logins, to attempt to exploit weaknesses in the cloud. CISA also released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services to provides technical details and indicators of compromise.
Methods
According to the report, several hackers are using phishing emails with malicious links to harvest credentials for users’ cloud service accounts. Some attackers tried collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts. CISA also verified that the threat actors successfully signed into one user’s account with proper multi-factor authentication. CISA also stated that attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack.