With the increased use of cloud services as well as remote work, identity is increasingly becoming the target of cyberattackers. Identity-based attacks are now among the biggest threats to organizations and can be seen in nearly 80 percent of all cyberattacks, according to CrowdStrike’s latest Global Threat Report.
Cloud-based services are now an important part of many business processes, facilitating file sharing and collaboration, especially in the era of hybrid work. However, these very services are increasingly being abused by cyber actors for network operations – a trend that is expected to continue for the foreseeable future as more and more organizations seek hybrid work environments. One of the most common attack vectors on cloud environments is identity theft. That’s because the rise of hybrid working means that many employees don’t work in an office but instead connect remotely via collaborative applications, VPNs, and other services – using a username and password.
To obtain the coveted information, criminal actors host fake authentication sites to collect legitimate authentication credentials for cloud services such as Microsoft Office 365 (O365), Okta, or online webmail accounts. The perpetrators then later use these to try to access victims’ accounts. But it is not only the victims’ accounts that are of interest. Access to cloud-hosted email or file hosting services can also help the perpetrators in their spying and theft activities.
Serious threat – big names also targeted
Today’s attackers are incredibly adept at obtaining and abusing stolen credentials. In doing so, they don’t even shy away from big cloud services. For example, in April 2021, CrowdStrike observed that the Turkey-based hacker group COSMIC WOLF targeted victim data stored in the Amazon Web Services (AWS) cloud environment. The attackers managed to penetrate the AWS cloud environment using stolen usernames and passwords, which also gave the attackers the necessary permissions to use command lines. This means they were able to modify security settings to allow direct Secure Shell Protocol (SSH) access to AWS from their own infrastructure, enabling the data theft.
Another state actor group for which credential harvesting plays an important role is FANCY BEAR – which Western intelligence agencies believe is a unit of the Russian military intelligence agency GRU. They use credential harvesting to obtain information and gain primary access to target organizations or individuals. At the beginning of its operational career, FANCY BEAR primarily used spear-phishing emails that contained malicious documents or links to harvest credentials.
However, after numerous operations were uncovered, FANCY BEAR revised its operational approach and scaled back its use of malware. Given the trend of public and private entities increasingly hosting parts of their internal infrastructure (e.g., email, internal chats, or identity, and device management services) via cloud services, the 2021 attacker targeted a number of cloud-based email providers with a variety of data collection methods. These include, for example, enterprise services such as Microsoft 365 or GSuite, but also webmail services that are more commonly used by individuals. FANCY BEAR’s credential collection operations have been perfected over the years, with consistently high volume and speed.
Cloud services also attract criminals
But it’s not just state actors who use identity-based attacks to reach their targets. eCrime actors also rely on identity theft as an attack vector. This is becoming increasingly problematic in the context of ransomware campaigns. Companies, therefore, need to adapt their defenses to stay one step ahead of the attackers. This is because an attacker with valid credentials is incredibly difficult for many IT departments to distinguish from normal, everyday authorized activity without zero trust policies, buying attackers valuable time to scout out the real target of their attack without being noticed.
In addition, once defenders have detected an attack in progress, it can be surprisingly difficult to stop the intruder, especially for attacks originating from unmanaged hosts. A managed system can be sealed off from the network in a matter of minutes. In contrast, it can take hours to stop the misuse of stolen credentials on a system that is outside the control of the security team, as the request must make its way through various IT silos in most organizations.
Making cloud infrastructure more resilient
Protecting against stolen identity threats is critical for enterprises today. But technology alone is not a panacea for stopping attacks. Sophisticated attacks require a blend of technology and human expertise to build effective defenses that ensure defenses are always up to date and threat response can occur within minutes. Enterprises need to security rethink every element, from the endpoint to the cloud to the network, based on Zero Trust.
