Hackers leveraging #Collection 1 dump to attack cloud applications
14 March 2019
New research has revealed how hackers from various countries, especially China and Nigeria, have been leveraging credential dumps and legacy protocols to launch brute-force attacks on cloud applications such as Microsoft Office 365 and Google G Suite on a massive scale.
Proofpoint’s Cloud Application Attack Snapshot: Q1 2019 research has found a 65% rise in cyber attacks launched against popular cloud applications including Office 365 and Google G Suite between September 2018 and February 2019, with 40% of such attacks originating from Nigeria and another 26% carried out using IP addresses located in China.
Cyber criminals behind attacks on cloud applications either carried out brute-force attacks on applications to crack passwords or targeted employees at organisations with phishing methods to lure them into clicking and revealing their authentication credentials for cloud application accounts.
Credential dumps facilitated attaks on cloud applications
A large number of brute-force attacks were carried out using millions of credentials that were leaked/stolen in the recent past. One such major breach took place in December last year when a massive database containing nearly 773 million unique email addresses and over 21 million unique passwords was found hosted on cloud service MEGA without any security whatsoever and could be accessed by anyone with access to the Internet.
According to Proofpoint’s research, the data breach (popularly known as Collection #1) drove a 60% increase spike in breached user accounts as hackers used usernames and passwords from the database to carry out brute-force attacks on cloud applications including Microsoft Office 365 and Google G Suite.
Aside from using massive data dumps on the Internet, hackers also leveraged legacy protocols such as IMAP to bypass multifactor authentication and infiltrate cloud applications. As many as 60% of Microsoft Office 365 and G Suite users were targeted using IMAP-based password-spraying attacks and 44% of accounts at targeted organisations were breached using this technique. These attacks also successfully breached one in four cloud accounts owned by Office 365 and G Suite tenants.
“As organisations continue to move their mission-critical business functions to the cloud, cybercriminals are taking advantage of legacy protocols that leave individuals vulnerable when using cloud applications. These attacks are laser-focused on specific individuals, rather than infrastructure, and continue to grow in sophistication and scope,” said Ryan Kalember, executive vice president of Cybersecurity Strategy for Proofpoint.
76% of attacks on cloud applications originated in Nigeria and China
An analysis of over one hundred thousand cloud application attacks by Proofpoint revealed that as many as 53% of brute-force attacks on cloud applications originated from China followed by 39% from Brazil, 63% of phishing attacks on cloud applications originated from Nigeria followed by 21% from South Africa. Overall, 76% of cloud application attacks originating from Nigeria (40%) and China (26%).
“The attacker’s primary aim is often to launch internal phishing, especially if the initial target does not have the access needed to move money or data. Post-login access to a user’s cloud email and contact information improve an attacker’s ability to expand footholds within an organization via internal phishing and internal BEC, which are much harder to detect than external phishing attempts. Attackers also leverage these trusted user accounts or brands to launch external attacks or make use of the infrastructure as part of broader attack campaigns,” Proofpoint noted.
Higher education sector most vulnerable to brute-force attacks
The firm added that while attackers have been targeting organisations across multiple sectors, the higher education sector was found to be the most vulnerable to high-volume brute force attacks with 70% of higher education organisations suffering breaches to brute-force attacks that leveraged the legacy IMAP protocol. Most attacks targeting higher education sectors were carried out to gain access to valuable data, such as scientific research.
A large number of password-spraying attacks were also carried out by attackers targeting university and high school faculty and students and 15% of successful breaches using this method affected educational institutions’ users.
Aside from educational institutions, other high-value targets of hackers behind cloud application attacks included retail, finance, and technology firms as well as payroll departments that provided access to employee paychecks and financial documents.
“This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable.
“Attackers parlay successful compromises into internal phishing attacks, lateral movement in organisations, and additional compromises at trusted external organizations. Organizations need to implement layered, intelligent security measures – including user education – to combat these evolving threats that are increasingly successful in compromising user cloud accounts,” Proofpoint added.