The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency today issued a warning concerning several recent cyberattacks targeting various cloud services.

The report states that threat actors are using phishing and other vectors to exploit poor cybersecurity hygiene practices within a victim’s cloud services configuration. The attacks are said to have occurred when employees have been working remotely and used a mixture of corporate laptops and personal devices to access corporate cloud services.

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA noted.

Along with phishing, where employees are targeted with fake emails pretending to be official and containing malicious links, other attack vectors include threat actors collecting sensitive information by taking advantage of forwarding rules. In one case, CISA verified that threat actors signed into a user’s account with multifactor authentication, possibly using browser cookies to defeat MFA with a so-called “pass-the-cookie” attack.

That attackers were able to bypass MFA also gained the attention of security experts. Tim Wade, technical director, of the CTO Team at artificial intelligence cybersecurity company Vectra AI Inc., told SiliconANGLE that despite CISA recommendations to enable MFA on all users, without exception, MFA bypass was observed to be part of this attack.

“The malicious use of electronic discovery continues to be highlighted as a technique employed by threat actors and organizations must ensure they’re prepared to identify when eDiscovery tools are abused,” Wade said. “Mail-forwarding, as simple as it sounds, continues to evade security teams as an exfiltration and collection method. On a practical level, the guidance to baseline an organization’s traditional IT and cloud networks is infeasible in practice without the use of AI and Machine Learning techniques.”

Discussing the phishing aspect, Brendan O’Connor, co-founder and chief executive of security posture management platform provider AppOmni Inc., noted that the best way to address that problem remains ensuring two-step authentication is enabled comprehensively and consistently.

“The more dangerous and stealthy threat is when attackers find data that has been unintentionally exposed to the world,” O’Connor added. “You don’t need to steal a user’s password if a misconfiguration or exposed application programming interface grants the entire internet access to your sensitive data.”

Image: CISA