Malicious Microsoft Cloud Account Takeover Campaign

Uploaded on 2024-02-20 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

Cyber criminals are following businesses into the cloud. As more companies adopt hosted email and webmail, cloud productivity apps like Microsoft Office 365 and Google Workspace, and cloud development environments like AWS and Azure, cyber criminals have found that the basic corporate account credential is a lucrative potential source of money and a platform for further damaging exploits.

This is demonstrated by an active Cloud Account Takeover campaign (ATO) which has  hit dozens of Azure environments and compromised hundreds of user accounts on the cloud computing platform run by Microsoft.

Researchers at cyber security firm Proofpoint have observed a new malicious campaign targeting dozens of Microsoft Azure environments. They detected ‘a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies’ over the last six months. Proofpoint  first discovered an integrated credential phishing and cloud ATO campaign in late November 2023 and have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments, compromising hundreds of user-accounts, including senior executives.

This campaign is still active with individually tailored phishing lures created within shared documents, including embedded links to ‘view document’ but also leading to a malicious phishing webpage.

The affected user base includes a wide variety of positions and the ones often hit including Sales Directors, Account Managers, and Finance Managers. Other executive positions such as Vice President, Operations, Chief Financial Officer & Treasurer and President & CEO were also targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organisational functions.

During the access phase of the attack, the attackers use a specific Linux user-agent (which can be used by defenders as an IOC): “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36”. This is used primarily to access the OfficeHome sign-in application and gain access to a range of native Microsoft365 apps.

If this initial access succeeds, post-compromise activities include MFA manipulation to maintain persistence. This can include registering a fake phone number for SMS authentication, or adding a separate authenticator with notification and code.

Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes.

Frequently alternating proxies align the source of the attack with the geolocation of the target to evade geo-fencing defence policies, making it more difficult to detect and block the malicious activity. However, the researchers did detect three non-proxy fixed-line ISPs: two in Nigeria (Airtel Networks Limited and MTN Nigeria Communication Limited) and one in Russia (Selena Telecom LLC).

Proofpoint Recommendations

To strengthen your organisation's defences against this attack, consider the following measures:

  • Monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats. 
  • Enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users.
  • Identify account takeover (ATO) and potential unauthorised access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications.
  • Identify initial threat vectors, including email threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts.
  • Employ auto-remediation policies to reduce attackers’ dwell time and minimise potential damages.  

Proofpoint does not reveal the origins of the campaign, but they do say there may be a Russian and/or Nigerian connection.

For the most part the attackers’ infrastructure comprises proxies, data hosting services and hijacked websites. “There is a possibility that Russian and Nigerian attackers may be involved,” say the researchers, “drawing parallels to previous cloud attacks.”  

Proofpoint    Microsoft    Security Week      Tahawultech.com     Proofpoint     TD Synnex    Global Security     

Image: Ed Hardie

You Might Also Read: 

Microsoft Is The Most Commonly Used Alias In Phishing Attacks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« British Police, AI & The Fight Against Cyber Crime 
British Library Still In Recovery »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

Cyber Defense Media Group (CDMG)

Cyber Defense Media Group (CDMG)

CDMG is the leading global media group for all things cyber defense.

Pervade Software

Pervade Software

Pervade Software is a global provider of dedicated compliance tracking software with monitoring & reporting capabilities.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

The main objective of the Hub is to bring cybersecurity and other advanced technologies closer to companies and as a result help to increase their performance as Industry 4.0.

ReconaSense

ReconaSense

ReconaSense helps protect people, assets, buildings and cities with its next-gen access control and converged physical security intelligence platform.

Crypto Quantique

Crypto Quantique

Crypto Quantique's ground-breaking technology radically simplifies the process of generating a hardware root of trust in an IoT device.

CertiK

CertiK

CertiK uses rigorous Formal Verification technology to provide hacker-resistant smart contract and blockchain audits, thorough penetration testing, and customized security integrations.

Graylog

Graylog

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

BaaSid

BaaSid

BaaSid is next generation security technology for data security & security authentication based on De-centralized & Blockchain.

CySecK

CySecK

CySecK is a Centre of Excellence in Cybersecurity formed in 2017 by the Government of Karnataka, as part of the Technology Innovation Strategy.

Exacom

Exacom

Exacom is a leading provider of multimedia logging/recording solutions across public safety, government, DoD, energy, utilities, transportation, and security applications.

MyTurn Career LLC

MyTurn Career LLC

Looking for a rewarding career in cybersecurity? Explore a wide range of cybersecurity jobs and opportunities in this rapidly evolving field.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.

RKON

RKON

RKON Technologies provides managed IT and cybersecurity services to organizations across various industries, helping businesses mitigate risks and secure their digital infrastructures.