Cloud Phishing: New Tricks and the Crown Jewel

Early this year, Microsoft warned of new phishing leveraging Azure ADs that prey upon those who don’t use multifactor authentication.

This attack is thriving now but not before because attackers take advantage of the concept of BYOD (Bring-Your-Own-Device) via the capability of device registration using newly stolen credentials, and cloud authentication is accessible anytime, anywhere.

Nothing out of the ordinary, it is a novel attack technique that combines traditional phishing with second-phase or even third-phase actions. The first stage steals an employee’s email like regular phishing attacks.

Yet, instead of attacking the victim, the second stage establishes a new Office 365 account on a rogue device in the victim’s name. Once established on the new computer, the victim’s user account (and or this case, its Azure Ad) is used to send internal phishing attacks (disguised as the victim) within the company or to customers using the legitimate email account.

If they want to gain more control or find a better “host,” they can find it via the first victim and then compromise the second account by internal phishing. These multi-stage attacks appear legitimate and can even deploy malware on the company’s OneDrive or SharePoint systems.

ChatGPT (or Other AI)

According to HP Wolf Security research, phishing accounts for nearly 90% of malware attacks. But ChatGPT could make the whole situation even worse. Such intelligent 🧠 AI Chatbot can be a way to gather information through a human-like friendly chat. So the victim may not even know they are interacting with an AI.

Check Point Research recently published an interesting article demonstrating how AI models could create a full infection flow, from spear-phishing to reverse shell. Multiple scripts can be generated quickly, with variations. Complex attack processes can also be automated, using the LLMs APIs to generate other malicious artifacts.

Another risk is more prominent. AI technology like ChatGPT will enable attackers to blend the volume of massive phishing with a targeted attack (or spear-phishing). For example, say generic phishing attacks send out millions of spam in the form of emails, SMS (in the case of smashing), and social media posts. But these are easy to spot, resulting in low yield.

With the addition of an AI Chatbot, millions of spear phishing messages could be generated in seconds. Thus, the attackers can have the best of both worlds. Therefore in 2023, we will probably see some large-scale phishing that sends millions of unique messages generated within minutes. It would be a tremendous challenge for security teams.

Other Novel Phishing Techniques

QRishing

Attackers are now trying to deliver malware links via QR codes embedded in emails, which makes them difficult to detect for most email security solutions. QRishing combines the words: “QR Codes” + “Phishing.” This indicates the attack is in the form of a QR code. It can potentially direct victims into connecting to an unsecured WiFi network while someone can easily capture what you are typing.

Some adversaries even stick malicious QR codes in restaurants or other public locations. Since the pandemic limits physical contact, QR codes are a popular tool for threat actors. We use it to access menus, check in for vaccines, and get public information. In addition, social engineering tactic is inserting fake QR codes into a phishing text (SMishing + QRishing) or social media platform. Upon scanning the malicious code, users are redirected to phishing sites, where the victim may be prompted to log in and steal their credentials.

SMishing

SMishing combines the words “phishing” and “SMS.” That means it is one kind of phishing sent across your mobile network in the form of text messages. Although the name uses SMS, this attack can happen on other messenger platforms, such as Facebook Messenger or WhatsApp. Common Smishing attempts to focus on everyday necessities. Missed deliveries, late payments, bank notifications, fines, and urgent notices are examples of smishing attacks.

With so many people staying at home and so many daily online purchases, we’re awash in cardboard. It’s very challenging to keep track of everything coming into the house. Combining well-known delivery services with fake “delivery fee” notifications is the best recipe for a successful Smishing.

Crown Jewel = Developer Accounts

Why are threat actors trying to compromise developer accounts? And what can go wrong if they are stolen?

Depending on the developer’s position, attackers gain access to nearly everything:

• SSH keys,
• API keys,
• Source Code,
• Production infrastructure,
• Access to CI/CD pipelines and,
• i.e., the works.

At the very least, this engineer has “commit” access to the source code. On the other hand, suppose the organization does not follow the best practices of software engineering, such as code reviews and restricting who can commit to the main branch. In that case, the attacker can modify the organization’s source code to alter and infect the final product.

This account could manually bypass some code checks, which will also have access to valuable resources (source code, SSH keys, secrets, credentials, API keys, CI/CD pipelines, and more). This scenario, where this kind of account is compromised, would be devastating for an organization. Developer accounts usually come with GitHub or other code repository access.

Dropbox & Uber

In September, Uber disclosed that hackers had stolen the personal information of about 57 million customers and drivers. Later, we discovered that the hack was related to a hard-coded credential obtained by a “remote social engineering attack.”

In November, Dropbox had a security incident due to a phishing attack against its developers. They were lured into filling in their Github credentials by a phishing email into a fake website, despite multifactor authentication (MFA) in place. What makes these incidents scary is that this wasn’t just a random user from a business function; it was developers with privileged access to many Dropbox and Uber data.

MFA Fatigue

Both cases from these two giant tech companies implemented multifactor authentication. Still, hackers find a way to bypass or work around this measure that can prevent most credential theft.

In the case of Uber, the hacker (allegedly a 17-year-old) was creative and came up with a low-tech but very effective method — an “MFA-fatigue attack.” The attacker attempts to log in repeatedly, sending a flood of push requests to users asking the victim to confirm a sign-in. Once the victim stopped clicking “no” on their phone, followed by an “authorized login,” thus, MFA failed.

For the Dropbox case, which is much simpler. The phishing email purported to originate from the code integration and delivery platform, CircleCI. Then the realistic-looking phishing site tricked the developer into typing the credential and the one-time password. Thus, MFA also failed.

Code Repo and More

As we saw in these incidents, GitHub and other platforms in the continuous integration/ continuous deployment (CI/ CD) pipeline space are the new “crown jewels” for many companies. With the proper permissions, attackers can obtain intellectual property, source codes, and other sensitive data.

But it doesn’t stop there, as GitHub often integrates with other platforms, which lets the allowed “users” go even further. In addition, developers’ accounts are usually granted access to the deepest level, as maintaining and developing the core application may be part of their job responsibility. That makes the developer account a crown jewel for attackers.

How to Improve Your Phishing Defenses

According to industry statistics, the average organization receives dozens of phishing emails per day, with financial losses compounding as losses from malware and ransomware attacks drive up the average cost of landed phishing attacks year over year. Facing all the threats highlighted requires extra effort, and while you can’t eliminate the risk of phishing attacks, you can learn from observed trends and incidents to better manage them.

For example, here are the recommendations from the recent Zscaler report:

1. Understand the risks to inform policy and technology decisions better
2. Leverage automated tools and actionable intel to reduce phishing incidents
3. Implement zero-trust architectures to limit the blast radius of successful attacks
4. Deliver timely training to build security awareness and promote user reporting
5. Simulate phishing attacks to identify gaps in your program

Apart from the five basic mitigations of phishing attacks, we can do more. Therefore, I will end this article with tips you can bring along. Knowing that phishers will eventually find a way to get to you, having a greater extent of cyber-resilience would be an excellent way to begin.

Tips #1: Multi-layered phishing defenses approach

Typical email security against phishing often relies exclusively on a single guard point, such as email gateways and endpoint/ mobile agents. Everything passing through that gate would depend on users being able to spot phishing messages. Not to mention attackers are now sharpening their weapons with multi-stage phishing.

Conversely, a layered defense approach could improve cyber-resilience without disrupting business productivity. Moreover, there would be multiple chances to detect and catch a phishing email.

1. Reach — Prevent the email from reaching the user’s inbox. This can be achieved by introducing anti-phishing security software such as spam filters. In addition, anti-spoofing controls should be implemented, such as; DMARC, DKIM, and SPF records.
2. Identify — Most data breaches are initiated through a phishing email due to human error. Therefore, staff should have regular training in identifying the latest potential phishing emails. This will enable them to follow the company process when an incident does occur, which should include reporting the incident to the relevant team.
3. Protect — Protections should be in place for when incidents do occur. These protections include but are not limited to; enforcing multifactor authentication (MFA), password managers, regular IT health checks, and endpoint defenses.
4. Response — Staff should be able to report phishing incidents to the relevant team. A dedicated security logging and the alarming system should be in place, as well as an Incident Response Plan.

Tips #2: Just-in-time (JIT) Access Approach

Privilege access entails a significant danger, claims Gartner. The risk posed by users with standing privileges persists even with PAM tools, and it is considerable. They suggest just-in-time (JIT) solutions be used by identity and access management (IAM) leaders to finally achieve a posture of no standing privileges.

Gartner also provided a solution to counter it — The Just-in-Time approach. For example, when developers use these credentials to set up or modify production resources, granting them the appropriate permissions is crucial, with only the capabilities required to complete specified tasks.

Tips #3: Review Mailbox Forwarding

Threat actors use compromised accounts not only to steal internal data but also, for example:

• Read users’ emails,
• Distribute malware,
• Spamming,
• Learn about the user and to further launch second-stage phishing, and
• Forwarding emails to external recipients.

Attackers may set up email rules to conceal their malicious activities from the user to hide incoming emails in the compromised user mailbox. They may also create rules in the compromised user mailbox to delete emails, move them to a less visible folder, such as an RSS folder, or forward emails to an external account.

Emails can be manually or automatically forwarded using forwarding rules. Automatic forwarding can be accomplished in various ways, including Inbox Rules, Exchange Transport Rules (ETR), and SMTP Forwarding. While manual forwarding requires users to take direct action, they may need to be aware of all auto-forwarded emails.

Final Words

The reality is that no one can stop phishing entirely as long as the human factor is in the formula. As a result, the best we can do for the long term is to adopt Zero Trust Architecture for email security. It would be a much more granular design of the multi-layered defense approach.