Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Cybercriminals are Bypassing Multi-factor Authentication to Access Organisation’s Cloud Services
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Cybercriminals are Bypassing Multi-factor Authentication to Access Organisation’s Cloud Services

5 years ago Graham Cluley
Cybercriminals are Bypassing Multi-factor Authentication to Access Organisation’s Cloud Services

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to companies to better protect their cloud-based accounts after several recent successful attacks.

According to an advisory published by CISA, an increasing number of attacks have succeeded as more employees have begun to work remotely with a variety of corporate laptops and personal devices during the COVID-19 pandemic.

CISA has observed that the attackers have used a variety of techniques, including phishing and brute force login attempts to exploit human weaknesses and the security configuration of corporate cloud accounts.

In one case, described in the advisory, an organisation failed to require use of a VPN when accessing its corporate network, and the intentionally lax configuration designed to make it easier for remote workers to access systems left the organisation’s network vulnerable to anybody to access through a brute-force login attack.

In other instances, malicious hackers had been seen phishing for users’ cloud service account login credentials through email phishing attacks that claimed to link to a “secure message” hosted on a legitimate site which required users to login.

“After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain initial access to the user’s cloud service account.” “CISA observed the actors’ logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location). The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service.”

Perhaps most interestingly of all, CISA warned that it had seen evidence that cybercriminals had successfully bypassed the highly-recommended security measure of multi-factor authentication (MFA) to compromise cloud service accounts.

In the case it cited, CISA said it believed the malicious hackers may have used a “pass-the-cookie” attack to waltz around MFA.

It’s worth bearing in mind that although multi-factor authentication is undoubtedly an excellent way to harden your security and make it harder for criminals to break into an account, that does not mean that it makes it impossible for a determined hacker.

For instance, in March 2018 the cryptocurrency exchange Binance halted all withdrawals after emergency systems spotted a two minute period of abnormal trading activity.

It later transpired that phishing attacks had taken users to a site purporting to be Binance, which asked them to enter their password and MFA codes. As the MFA code remained valid for 30 seconds, it could be used by the attackers to generate a trading API key for the genuine site.

Although it’s clear that attackers can circumvent MFA through social engineering and technical attacks, that doesn’t mean that you shouldn’t use it. In Microsoft’s own words, “your account is more than 99.9% less likely to be compromised if you use MFA.”

Clearly, users still need to be cautious that they are only entering their MFA codes on genuine sites, and not on a bogus site created by an attacker in an attempt to steal and use them for their own ends.

Once they have gained access to a company’s cloud-based service, of course, a cybercriminal has many tricks up their sleeve – including being able to gather information about an organisation, exfiltrate data, attack the systems of other employees and partners, and set up mail-forwarding rules to continue to access sensitive information even if login credentials are later changed to block future access.

CISA has published a long list of recommendations on its website that can help organisations strengthen their cloud security practices, including the enforcement of multi-factor authentication, restrictions on email forwarding, a recommendation not to use personal devices for work, and a focus on security awareness training for employees.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Cybercriminals are Bypassing Multi-factor Authentication to Access Organisation’s Cloud Services” appeared first on TripWire

Source:TripWire – Graham Cluley

Tags: CERT, Cloud, COVID-19, Encryption, Exploit, Goverment, Hacker, Medium Severity, Microsoft, Phishing, TripWire

Continue Reading

Previous Ring Adds End-to-End Encryption to Quell Security Uproar
Next Cloud Attacks Are Bypassing MFA, Feds Warn

More Stories

  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

9 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

13 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

15 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

16 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

21 hours ago [email protected] (The Hacker News)

Recent Posts

  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT