This post was contributed by Sekhar Sarukkai who is the chief scientist at SkyHigh Networks.
Cybersecurity has become a new arms race, not just between countries, but between companies and hackers. As Office 365 cyberattackers become more sophisticated, security vendors have to constantly innovate to keep up. Over the past few months, Skyhigh has been tracking exactly this kind of hacker that launched a ‘Super Attack’ against Office 365 accounts of 48 Skyhigh enterprise customers.
What was so sophisticated about this attack was that the hackers did not target as many users as possible, which is common in brute force login attacks. Instead, they attacked a specific set of high-level employees in a “slow and low” manner to avoid getting flagged by the cloud service provider (CSP). Luckily, none of the breaches were successful.
“Slow and Low” Strategy
To carry out their attack, the hackers collected corporate user names and passwords related to multiple cloud services. With this information, they launched brute force attacks on those users’ Office 365 accounts. This involved using different variations of employee names. As an example, for someone named Jonathan Smith (name changed), companies noticed a number of combinations, such as firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org. Just this one account witnessed 17 attempts and username variations over 4 seconds from 14 IPs. The attackers likely used the same password for each username permutation.
Aside from this targeted attack, the hackers relied on 2 assumptions for their strategy. First, that users used the same password across multiple accounts because they used different usernames but the same passwords for their attempts. Second, they hoped that multi-factor authentication (MFA) and Single Sign-On (SSO) were not turned on for sensitive data.
The third element of the “slow and low” strategy relates to key precautions the attackers used to fly under the radar. This involved staggering the attacks over a few months to avoid any lockout checks by CSPs. There were only short bursts of activity where one username was targeted by multiple IPs. If the attackers had used one IP, the CSP or hosting provider likely would have noticed and blacklisted the address. The second precaution was that attackers chose a few high-level users to attack within each company in order to have the highest chance of accessing sensitive information with the lowest chance of detection.
How Was The Attack Detected?
With such a sophisticated strategy, how exactly was the attack detected at all? Luckily, using Skyhigh Network’s Cloud Access Security Broker (CASB) threat protection capabilities, the threat was uncovered. The threat protection engine used machine learning to detect variants of the brute force attack across multiple user accounts and companies, with the threat originating from numerous IP addresses. The engine noticed abnormal login attempts and registered them as anomalies.
These anomalies continued to emerge, eventually elevating the login attempts to a real threat. Using cross customer analysis, the Skyhigh CASB detected 100,000 failed logins, confirming what the companies had feared: a sophisticated and widespread brute force login attack. Since then the source IPs have been flagged and blacklisted and the targets have been notified of the threat.
Thwarting Sophisticated Attacks In The Future
Though this attack was detected and remediated by the CASB’s threat protection capability, organizations of all sizes should have some form of multi-factor authentication (MFA) turned on to make it exponentially more difficult to successfully launch a brute force login attack, even if the attackers gain access to the correct login credentials.
In addition, cloud security’s shared responsibility model dictates that organizations take responsibility for some of the security of their cloud applications. That includes putting in place a robust cloud security infrastructure. It is equally important to promote rigorous employee training sessions around cybersecurity. These should include a course on how to detect phishing attempts, how to detect and avoid malware infected websites, and how to use cloud services without putting sensitive corporate data at risk.