Microsoft’s Office 365 suite of cloud applications is now the most popular cloud service in the world by user count. While this has fast tracked Microsoft’s path to becoming a cloud-first enterprise software company, it has also put a bulls-eye on Office 365, making it a target of choice for hackers. Given the fact that enterprises store a significant volume of business-critical data in Office 365, the stakes for keeping data safe are high.
Earlier this summer, hackers attempted to gain unauthorized access to high-value corporate Office 365 accounts of several enterprises using a novel type of brute force attack in an attempt to obfuscate their activity and avoid detection.
Now, a new attack has been discovered on Office 365 accounts of a number of enterprises that used yet another stealthy strategy. Our research indicates that the attack is targeting 50% of enterprises that have Office 365.
Anatomy of the attack
Dubbed as ‘KnockKnock’, the botnet attack was designed to predominantly target Office 365 system accounts. System accounts are usually not tied to human users but often have elevated privileges. These accounts include service accounts (such as those used for user provisioning in large organizations), automation accounts (such as the ones used to automate data and system backups), machine accounts (including those used for applications within data centers), marketing automation accounts (like the ones used to send marketing and customer communication emails), as well as accounts created for distribution lists and shared or delegated mailboxes.
Not only do these accounts have higher privileges, but they may not always work well with step-up authentication systems like Single-Sign-On (SSO) or other multi-factor authentication, and they can suffer from lax password policies. This gives attackers the perfect vector to infiltrate into an organization’s Office 365 environment: weak-link accounts with privileged access that are seldom monitored.
Once the botnet successfully gains access to the targeted account, data is exfiltrated from the inbox while a new inbox rule is created that hides and diverts incoming messages. The attack will then initiate an enterprise-wide phishing attack and spread the infection throughout the organization.
KnockKnock has been active since May 2017 and is currently still active. In order to go undetected, the hacking activity occurs in short stints, averaging 3-5 attempts of guessing the password of the system account before moving on to a different account within an organization. Moreover, it doesn’t display the same level of activity across multiple organizations. As it ramps up its number of attempts in one organization, it ramps down in others, further making detection difficult.
The attacks originate from a small networks of 89 confirmed IPs distributed across 83 networks. Although most of the attacks originate from IPs registered to service providers in China, there has been activity from other countries as well, including Russia, Brazil, US, Argentina, and Malaysia.
Why is this attack so dangerous?
The fact that the botnet attack targeted system accounts is what makes it so dangerous. System accounts can be used in many ways, but one of the more common uses for a system account is to help connect one cloud application to another. Businesses rely on a variety of tools that work together to produce a holistic cloud infrastructure, but these connections require the creation of accounts that aren’t linked to a specific user. If an organization isn’t aware of how their cloud infrastructure works, a hacker’s entry into a single system account can have a dire domino effect.
For example, if a hacker gains entry into an Office 365’s Exchange Online system account that’s used as the username for Salesforce.com, which is in turn used as a Marketo Sync User to integrate Salesforce.com to the organization’s marketing automation cloud, then an entry into the Exchange Online system account could also give the hacker access to the entire CRM and marketing automation systems of the organization, putting the enterprise’s most valuable data at risk of unauthorized exposure or loss.
CRM systems such as Salesforce.com will often require the user account used to integrate with other systems to have administrative privileges, which only serves to further exacerbate the situation.
System accounts should never be treated as throw-away accounts that need not be monitored. If anything, the fact that there isn’t a human owner for the account should encourage organizations to take additional measures to secure the account and continuously monitor its activity. As hackers increase their attacks on enterprise SaaS and IaaS deployments, enterprises need a new line of defense, allowing them to adopt and benefit from the cloud while protecting their most valuable asset – data.
Visit our blog post if you’re interested in learning about how this attack was discovered.
About the Author: Sekhar Sarukkai is a Co-Founder and the Chief Scientist at Skyhigh Networks, driving future innovations and technologies in cloud security. He brings more than 20 years of experience in enterprise networking, security, and cloud service development.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.