Massive hacking of users’ cloud computing services accounts

In its most recent report, the Cybersecurity and Infrastructure Security Agency (CISA) revealed that a group of threat actors has managed to bypass the multi-factor authentication mechanisms of some cloud service platforms. The Agency claims to have detected multiple successful attacks against supposedly protected user accounts.

The report mentions that “the hackers responsible for this campaign employed a wide variety of attack techniques, including the use of phishing emails, brute force tools, and cookie theft to access these protected systems with multi-factor authentication.

La imagen tiene un atributo ALT vacío; su nombre de archivo es cisa13012021.jpg

CISA mentions that, at first, threat actors tried to access business accounts in the cloud using brute force attacks, which was useless. However, threat actors were able to compromise multi-factor authentication systems by hijacking an authenticated session using stolen session cookies to log in to online services or web applications. This attack variant is known as pass-the-cookie.

Hackers would also have taken advantage of this access to compromise some hosting platforms, placing malicious files available for download. In other cases they also modified the forwarding rules for some email accounts in order to collect a large amount of sensitive information from these compromised accounts. 

Although there was some suspicion, CISA eventually confirmed that this campaign is not linked to hackers behind the attack on SolarWinds or any other recently detected hacking campaign. CISA appears to refer to cyberattack campaigns in which threat actors compromise the devices of users working from home due to pandemic mobility restrictions.

Experts mention that while these accounts are protected with multi-factor authentication, the lack of additional cybersecurity knowledge was instrumental in hackers achieving their goal. In its report, the agency included some recommendations for mitigating similar risks.

This is not the only threat detected by the Agency recently. Just a few days ago, CISA issued another alert related to the attack on multiple SolarWinds accounts, in addition to the detection of some systems infected with the Sunburst backdoor. The National Security Agency (NSA) also issued a statement regarding the forgery of credentials to access cloud platforms.