Cloud Security Roundup: Microsoft 365 Phishing Attacks, Washington’s Potential Privacy Law, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last few weeks. In this post, we discuss cyberattacks that bypass MFA, third-party permission threats, Microsoft 365 phishing vulnerabilities, and more.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn organizations that cloud services are increasingly being targeted, and multi-factor authentication may not be enough to prevent the attacks. Cybercriminals are bypassing MFA by taking advantage of misconfigured cloud environments and using “pass-the-cookie” attacks, which utilize authentication information stored in browser cookies.
“These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,” said the CISA alert. “Despite the use of security tools, affected organizations typically had weak cyber-hygiene practices that allowed threat actors to conduct successful attacks.”
Detecting cyberattacks that bypass MFA may seem difficult, but is made possible through user activity monitoring. Tracking user behavior generates a baseline so IT security teams know when a user engages in suspicious activity like logging in outside of business hours or from an unknown IP address. Abnormal user behavior may indicate that their credentials have been compromised and a hacker is using their account to offload company data.
The number of exposed records rose 141% in 2020 to reach a new high of 37 billion according to Risk Based Security. The researchers attributed the increase in exposed records to several super-sized breaches – 82% of the breached records originated from just five incidents. The driving force behind last year’s breaches was found to be human error. Specifically, human error in the form of cloud misconfiguration, which leaves databases (many of which store volumes of sensitive data) vulnerable to cyberattacks.
External actors were responsible for 77% of the breaches and the leading external attack source was stolen user credentials. Of those breaches attributed to insiders, nearly 70% were caused by human error. The four sectors with the highest number of reported breaches were information (14.5%), healthcare (14.3%), finance & insurance (12.1%), and public administration (11.5%).
Washington state lawmakers have attempted for three years to pass data privacy regulations that would strengthen the state’s laws regarding how companies handle citizens’ data. Similar to the EU’s GDPR, the latest data privacy proposal from the state’s lawmakers – Washington Senate Bill 5062 – would give residents the right to determine what kind of data companies collect on them as well as the power to review the information upon request. The bill would also enable Washingtonians to correct or delete their personal information and opt out of companies processing their data.
The law would apply to businesses that manage the personal data of Washington residents and meet the following thresholds:
- Processes the data of more than 100,000 consumers
- Generates over 25% of gross revenue from selling personal data and processes the data of more than 25,000 consumers
- Is not a government entity or municipal corporation and the data isn’t collected for employment purposes
If passed, Senate Bill 5062 would go into effect on July 31, 2022 with a four-year delay for nonprofit organizations and higher education institutions.
“I’ve tried to take the best practices of GDPR and the best practices of the California law and the uniqueness of Washington, and come up with an evidence-based best practices of a bill.”
– Washington Sen. Reuven Carlyle.
New research revealed that 82% of companies assign third-party vendors high-level privileges in cloud environments, giving them unfettered access to data. By assigning more permissions than necessary, organizations are vulnerable to security threats and data breaches if users inappropriately access company data or their accounts are compromised.
The researchers also found that 76% of organizations provide third parties with roles that enable full account takeovers – access that should be reserved only for admins and other closely-monitored roles. 90% of security teams weren’t aware that they’d assigned high permission levels to third-party vendors, creating unknown and unmonitored risk.
To prevent data threats when working with third parties, use the principle of least privilege, which limits the permissions of users – including third parties – to only those needed to complete work. Review your default setup for third parties to see if the permissions are accurate for the work they’ll be doing.
“Less is more – less permissions means less liability, whereas too many permissions could mean they’re next in line to becoming a target for adversaries.”
– Shir Tamari, Head of Research, Wiz Research
According to Trend Micro, recent phishing campaigns are relying on fake Microsoft 365 updates and login pages to harvest credentials and gain access to sensitive data. The attackers send authentic-looking phishing emails posing as company IT staff urging users to update their expired Office 365 passwords. Upon clicking the email, victims are redirected to a page where they’re prompted to enter their username and password, which are routed to the hackers.
C-suite executives, especially CEOs, are primary targets of these scams. Cybercriminals use C-level email addresses to access valuable company data or conduct social engineering attacks like business email compromise.
"The attackers reuse compromised hosts for the phishing pages targeting organizations in the manufacturing, real estate, finance, government and technological industries in several countries, such as Japan, the United States, U.K., Canada, Australia and Europe.”
– Trend Micro
Regular security training can help employees of all levels identify phishing emails. But humans are fallible, making additional layers necessary to avoid a malicious actor from accessing an organization’s network. To detect if a user’s credentials have been compromised, rely on a user activity monitoring solution to detect abnormal user behavior and flag it for remediation.
A group of U.S. federal intelligence agencies formed the Cyber Unified Coordination Group (UCG) to investigate and remediate cyber incidents involving government networks. The participating agencies include the National Security Council (NSC), the FBI, the Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (ODNI).
The agency’s current focus is on the recent SolarWinds cyber incident and its impact on federal networks. Approximately ten federal agencies were affected by the SolarWinds Orion cyberattacks, and the agency is using its collective intelligence, cybersecurity expertise, and mitigation tactics to identify the origins of and evaluate the scale of the attack.
“The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected. Additional information, including indicators of compromise, will be made public as they become available.”
– The Cyber Unified Coordination Group (UCG)