Social Engineering exploits
More businesses are moving to the cloud, creating new kinds of risk. Analysing how attackers are getting access to this infrastructure—and how some users are inadvertently misusing it — provides critical insight into how to better protect against these new threats. The cloud and software-as-a-service (SaaS) apps are mainstays of modern business and consumer computing. They are also quickly becoming the latest frontier of innovation for threat actors.
In a recent sample of prospective customers, about 1% of SaaS credentials were compromised and 24% of all logins to cloud services were suspicious. Suspicious logins included:
• Malicious sources such as bots, scanning hosts, Tor nodes and more
• Non-human logins from cloud infrastructure and third-party services
• “Too-fast-to-travel” events
Malicious logins, such as those from bots, are common in “traditional” cybercrime. Non-human logins into cloud-based infrastructure and services are a more recent phenomenon. These come from a service or app—some of which may not have been explicitly authorised by a user or organisation. Too-fast-to-travel events refer to situations in which someone logs into an account from one region— and then another login is detected from somewhere the first person couldn’t have travelled to that soon. For example, say a legitimate login occurs from a US-based IP address. Then two hours later, someone logs in from a Chinese IP address. At least one of those logins is suspicious.
For authorised apps and third-party add-ons, users are often unaware of the hidden layers of access — and risks. For example, if someone authorises a third-party cloud email add-on, an OAUTH token may allow the app to synchronise the user’s email on a separate, less-than-secure server. Once authorised, these apps continue to have access—even after the user deletes the app or quits the service. We saw danger signs when examining third-party apps accessing core cloud services. Most of the organisations we surveyed had hundreds of apps installed on cloud platforms. Roughly 18% of these apps could access email or files. In many cases, this access may be legitimate and useful. But often, organisations are unaware that the apps have unfettered access to critical communications and data.
Anytime, anywhere access and easy integration with a variety of third-party add-ons are among the greatest strengths of cloud apps. But they also represent the greatest risks to personal and corporate data. In many cases, we also see people failing to follow best practices for cloud apps. This behaviour may stem from convenience, lack of governing policy or ignorance:
• Thousands of files were shared with personal, non-business accounts
• Hundreds of thousands of files were shared openly with the entire organisation rather than being limited to those who needed access.
• Tens of thousands of files were shared publicly
In the emerging cloud era, the human factor is alive and well. Carelessness, ignorance or lack of guidance can all lead to oversharing and new risks to data. Personal and public file sharing can pose a particular risk — especially after employees leave an organisation but retain access.
As we adopt cloud apps and services at scale across organisations and use them frequently in our daily lives, our habits are changing. WordPress Security tools are not changing as quickly. We have become accustomed to receiving everything from emailed surveys to shared files from a variety of services. The tools and services we rely on to defend ourselves from cyber threats are often configured to trust email and other content from major, reputable email providers. So when attackers abuse “good services for bad purposes,” we often are not prepared. That makes these services useful vectors for attackers. Many of these platforms are extensible by design. That versatility opens up new features for organisations. It also creates wide-ranging possibilities for abuse.
Abusing legitimate services has other benefits for threat actors beyond the inherent trust people and tools place in them. Legitimate email service providers operate on a massive scale. They are frequently used by legitimate marketers to send large email blasts. And they are used by organisations ripe for abuse. As a result, email service providers themselves have a hard time detecting malicious activity. And shutting it down often amounts to an unwinnable game of whack-a-mole. Detecting malicious activity from legitimate services requires deeper, dynamic analysis than REPUTATION-BASED DEFENCES can offer alone. Attacks that leverage legitimate services exploit the human factor. And like other people-centred attacks, they challenge automated defences and the people being targeted.