Now, a new attack has been discovered on Office 365 accounts of a number of enterprises that used yet another stealthy strategy. Visit our blog post if you’re interested in learning about how this attack was discovered.Earlier this summer, hackers attempted to gain unauthorized access to high-value corporate Office 365 accounts of several enterprises using a novel type of brute force attack in an attempt to obfuscate their activity and avoid detection. As hackers increase their attacks on enterprise SaaS and IaaS deployments, enterprises need a new line of defense, allowing them to adopt and benefit from the cloud while protecting their most valuable asset – data. If anything, the fact that there isn’t a human owner for the account should encourage organizations to take additional measures to secure the account and continuously monitor its activity. System accounts should never be treated as throw-away accounts that need not be monitored. If an organization isn’t aware of how their cloud infrastructure works, a hacker’s entry into a single system account can have a dire domino effect.įor example, if a hacker gains entry to an Office 365’s Exchange Online system account that’s used as the username for, which is in turn used as a Marketo Sync User to integrate to the organization’s marketing automation cloud, then an entry into the Exchange Online system account could also give the hacker access to the entire CRM and marketing automation systems of the organization, putting the enterprise’s most valuable data at risk of unauthorized exposure or loss.ĬRM systems such as will often require the user account used to integrate with other systems to have administrative privileges, which only serves to further exacerbate the situation. Businesses rely on a variety of tools that work together to produce a holistic cloud infrastructure, but these connections require the creation of accounts that aren’t linked to a specific user. System accounts can be used in many ways, but one of the more common uses for a system account is to help connect one cloud application to another. The fact that the botnet attack targeted system accounts is what makes it so dangerous. Although most of the attacks originate from IPs registered to service providers in China, there has been activity from other countries, as well, including Russia, Brazil, US, Argentina and Malaysia. The attacks originate from a small network of 89 confirmed IPs distributed across 83 networks. As it ramps up its number of attempts in one organization, it ramps down in others, further making detection difficult. Moreover, it doesn’t display the same level of activity across multiple organizations. To go undetected, the hacking activity occurs in short stints, averaging 3-5 attempts of guessing the password of the system account before moving on to a different account within an organization. KnockKnock has been active since May 2017 and is currently still active. The attack will then initiate an enterprise-wide phishing attack and spread the infection throughout the organization. Once the botnet successfully gains access to the targeted account, data is exfiltrated from the inbox while a new inbox rule is created that hides and diverts incoming messages. This gives attackers the perfect vector to infiltrate into an organization’s Office 365 environment: weak-link accounts with privileged access that are seldom monitored. Not only do these accounts have higher privileges, but they may not always work well with step-up authentication systems like Single-Sign-On (SSO) or other multi-factor authentication, and they can suffer from lax password policies. accounts created for distribution lists and shared or delegated mailboxes.marketing automation accounts, such as the ones used to send marketing and customer communication emails and.machine accounts, including those used for applications within data centers.automation accounts, such as the ones used to automate data and system backups. ![]() service accounts, such as those used for user provisioning in large organizations.System accounts are usually not tied to human users but often have elevated privileges. ![]() Our research indicates that the attack is targeting 50 percent of enterprises that have Office 365.ĭubbed as ‘KnockKnock,’ the botnet attack was designed to predominantly target Office 365 system accounts. Earlier this summer, hackers attempted to gain unauthorized access to high-value corporate Office 365 accounts of several enterprises using a novel type of brute force attack in an attempt to obfuscate their activity and avoid detection.
0 Comments
Leave a Reply. |