Skip to content ↓ | Skip to navigation ↓

Sophisticated and coordinated hackers are constantly adapting and using innovative techniques to gain unauthorized access to corporate data. Recently, 48 Office 365 customers experienced exactly this kind of threat where an attacker implemented a new strategy to try to access high-level information.

The brute force login attack was unique in that it was directed against a few key targets across multiple companies instead of casting a wider net against as many users as possible. There were 100,000 failed-login attempts originating from 67 IPs and 12 networks over a period of nearly 7 months.

This “slow and low” strategy was designed to avoid detection by the cloud service provider (in this case, Microsoft).

The other aspect that stood out was that it was a cloud-to-cloud attack where the hackers used the infrastructure of public hosting services to launch the attack on a SaaS service.

A New Strategy to Avoid Detection

The first step of the hackers’ plan involved acquiring corporate usernames and passwords from multiple companies that may be tied to multiple cloud services (not necessarily Office 365).

The attackers tried different email variations derived from the employee name to try to gain access to potentially sensitive information. For example, someone named Elizabeth Miller (name changed) at Company X faced a number of login attempts into her account that used addresses such as emiller@companyx.com, elizabeth.miller@companyx.com, or lisa.miller@companyx.com.

In fact, one account fell victim to as many as 17 username variations from 14 IPs in just 4 seconds.

Although the passwords the attackers used could not be viewed in clear text, it can be inferred that they used the same password for each user for every username variation because each email was only used once to attempt the unauthorized login.

The attackers assumed that the users used the same password across multiple accounts, which would allow them to change the username but use the same password. Another assumption was that the accounts lacked basic security provisions, such as multi-factor authentication (MFA).

Detecting the Undetectable

The attackers staggered their login attempts over the course of several months. They focused on one username at a time, and even then it was only targeted for a few seconds. This, along with the use of more than one IP, was intended to avoid triggering any alerts or account lockouts.

Attacking several different customers was yet another tactic to avoid generating a pattern of behavior indicative of a threat. Lastly, the attackers only targeted a handful of high-value Office 365 accounts at each organization, knowing full well that a broader attack would be detected by either the cloud service provider or the organization under attack.

The “slow and low” strategy was carefully crafted and executed, so how was the brute force attack detected?

The first signs of the attack came about when the Cloud Access Security Broker detected multiple failed login attempt anomalies that may be associated with a compromised account. By itself, this didn’t trigger an alert warranting further investigation.

Over time and with additional failed login attempts originating from a set of IP addresses, all targeting a handful of Office 365 accounts across multiple organizations, a pattern emerged and elevated the anomalies to actual threats.

After further investigation and cross-customer analysis, over 100,000 failed logins across a multi-month period were discovered, upgrading the various threats to a full-blown brute force login attack.

What can we learn from this attack?

This attack may have been prevented for the most part had the organizations under attack enabled SSO with MFA. The takeaway point here is that it can be very difficult for organizations to fully protect themselves from sophisticated attacks targeting the cloud without having a robust cloud security infrastructure.

Organizations need to gain awareness of their cloud usage in order to mitigate the risk of a security incident in a meaningful way.

 

Sekhar Sarukkai

About the Author: Sekhar Sarukkai is a Co-Founder and the Chief Scientist at Skyhigh Networks, driving future innovations and technologies in cloud security. He brings more than 20 years of experience in enterprise networking, security, and cloud service development.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.