Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

CISA Warns Organizations About Attacks on Cloud Services

In light of successful cyberattacks targeting organizations’ cloud services, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a series of recommendations on how businesses can improve their cloud security.

In light of successful cyberattacks targeting organizations’ cloud services, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a series of recommendations on how businesses can improve their cloud security.

The attacks observed by CISA exploit poor cyber hygiene practices within cloud services configurations, and the agency says the activity is not tied to a specific threat actor or the recent SolarWinds attack. Thus, the recommended mitigations apply to all organizations looking to ensure their cloud services are better protected from cyberattacks.

CISA notes that the recommendations are based on CISA incident response engagements and that the observed attacks frequently involved telework that leveraged a mixture of corporate laptops and personal devices for access to cloud services.

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA notes.

To exploit weaknesses in the victim organization’s cloud services, the threat actors used techniques such as phishing and brute force attempts. One incident, however, possibly involved a “pass-the-cookie” attack (in which a stolen session cookie is used to access otherwise restricted resources).

Phishing emails were used to trick victims into sharing their login credentials, and then abuse these to access cloud service accounts and phish for additional credentials. Brute force attempts targeted a terminal server at an organization that opened port 80 for remote access rather than using a VPN.

Email forwarding rules were also abused for the collection of sensitive information, as well as modified rules to search for finance-related keywords within the victims’ email messages. In one case, although the compromised account had proper multi-factor authentication (MFA) enabled, the attackers apparently used a “pass-the-cookie” attack for initial access.

“Cookies establish session persistence for web applications. When you are authenticated with a web application, MFA or not, the cookie is placed on your computer. The cookie contains the session ID and access tokens to the web application. This is so you don’t have to reauthenticate incessantly to the web application. This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state,” Christian Espinosa, Managing Director at Cerberus Sentinel, explains.

“The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Specially, cookies should be set with a short lifespan. […] The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though,” Espinosa continues.

To mitigate cyberattacks targeting their cloud services, organizations are advised to implement conditional access (CA) policies, establish a baseline for normal network activity, review logs, enforce MFA, review user-created email forwarding rules and alerts, establish a mitigation plan, secure privileged access, prohibit personal devices at work (unless necessary), audit email rules, ensure users consent only to app integrations that have been pre-approved, and adopt a zero-trust mindset.

Organizations should also ensure that user access logging is enabled, that legacy authentication protocols are blocked, that Remote Desktop Protocol (RDP) ports are closed on cloud-based virtual machines with public IPs, that employees are trained on how to identify threats and report them, and that detection solutions are up-to-date.

For organizations that use Microsoft 365, only a few (one to three) trusted users should be set as electronic discovery (or eDiscovery) managers, PowerShell remoting to Exchange Online should be disabled for regular M365 users, and only a limited number of unsuccessful login attempts should be allowed, to prevent brute-forcing.

Related: NSA Publishes Recommendations on Securing IPsec VPNs

Related: DHS Reiterates Recommendations on Securing Office 365

Related: Three Tips to Help CISOs Close the IT-OT Security Gap, Part 2

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...