Contrary to the previously documented Man-in-the-Middle attacks, which typically utilize frameworks such as Evilginx to intercept communication between the victim and the service provider to compromise user credentials and tokens, the majority of these recent attacks involve recovering tokens directly from third-party or cloud service providers.
Access management and sanitization of sensitive data is challenging, especially when dealing with large amounts of data. This can lead to inadvertent access token exposure, even in professional organizations. In September 2023, an unrestricted Azure SAS token was improperly used by Microsoft to share a bucket of open-source AI training data. This led to the accidental exposure of 38 terabytes of data that included sensitive information, private keys and passwords.
Usually, attackers have to work harder to breach network systems. In a sophisticated cyberattack discovered in July, the Chinese APT group known as Storm-0558 successfully compromised multiple email accounts belonging to at least 25 organizations, including several U.S. Federal agencies. This breach was achieved by exploiting a stolen Microsoft account (MSA) consumer signing key. This key, integral to Microsoft’s security infrastructure, is used to digitally sign and authenticate tokens during the login process to consumers’ Microsoft accounts. According to Microsoft’s findings, the attack most likely began with the compromise of a Microsoft engineer’s account, which gave the attackers access to the engineer’s debugging environment. Within this environment, the attackers located an MSA key that was inadvertently left in an unsanitized crash dump. Subsequently, this key was utilized to generate fraudulent authentication tokens for Outlook Web Access and Outlook.com, which enabled unauthorized access to multiple customer accounts. Remarkably, the compromised key dates back to April 2021.
Such attacks are not limited to cloud service providers. Managed service providers, authentication companies, and any entities that may have access tokens and related sensitive information are also targeted. In a notable incident in October 2023, Okta, a prominent part of the identity and authentication supply chain, experienced a significant security breach that affected its entire customer-support user base. The breach was initiated through stolen credentials, which enabled unauthorized access to Okta’s customer support management system. This access further led to the compromise of customer-uploaded files, including HTTP Archive (HAR) files that contain critical data like cookies and session tokens. If not sanitized prior to upload, these compromised artifacts can be used to log in to or hijack system sessions. Customers later reported attempts to use their stolen artifacts to gain unauthorized access to their systems. Okta had already suffered a serious breach in 2022.
In some instances, cybercriminals exploit access to cloud-based collaboration services such as Microsoft Teams to leverage social engineering. Microsoft reported a notable example in August 2023 involving a Russian APT group known as Midnight Blizzard. This group leveraged MS Teams to circumvent Multi-Factor Authentication (MFA) procedures and acquire user tokens. Initially, Midnight Blizzard infiltrated the Microsoft 365 tenants of small businesses, establishing new domains within these tenants under the guise of technical support entities. These domains were then utilized for phishing attempts sent over Microsoft Teams in which the attackers tried to get MFA codes from users in external companies.
The attack methodology involved sending chat requests and messages through Teams, with the attackers impersonating technical support or a security team. They persuaded users to enter a specific code into their Microsoft Authenticator app. This enabled the attackers to access the users’ Microsoft 365 accounts and engage in other unauthorized activities.
Cyber-attacks using stolen tokens can be conducted in a top-down approach, as seen in the attacks on Microsoft and Okta, where the compromise of service-providers allowed access to their clients' systems. Alternatively, the process can go bottom-up, starting with the breach of a customer's system. In this scenario, locating tokens and sensitive data allows the attacker to penetrate cloud services and facilitate lateral movement throughout the victim's network.
An example of such an attack was seen at a leading Israeli university. In the reported disruptive attack, actors linked to the Iranian government infiltrated a top-ranked university, the Technion – Israel Institute of Technology. The attackers gained on-premises access by exploiting unpatched vulnerabilities and eventually gained entry to a privileged account that had access to the Azure AD agent. They then extracted plaintext credentials for a privileged Azure AD account, which enabled them to wreak havoc on the Azure environment, deleting server farms, virtual machines, storage accounts, and more.
The remote nature of cloud infrastructure management brings unique challenges in identity verification and security. Recent attack trends demonstrate that cloud security is even more vulnerable than previously thought. Advanced threat actors are increasingly bypassing end users and targeting cloud service providers directly. This worrying shift necessitates a concerted response from all involved stakeholders. Incorporating comprehensive data sanitation methods is critical for ensuring robust security in cloud environments, beyond traditional configuration management and Multi-Factor Authentication (MFA).
