As more information is unearthed about the SolarWinds attack, the most recent information reveals that hackers were able to bypass MFA (multi-factor authentication) to breach systems and email accounts. This alarming find only proves that nothing is completely failsafe when it comes to cybersecurity.
According to BleepingComputer on January 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that the SolarWinds hackers were able to bypass MFA to access “ compromised cloud service accounts.”
The report issued by CISA last Wednesday said, “The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a ‘pass-the-cookie’ attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.”
How Was it Possible?
The Bleeping Computer explains how this was possible “CISA believes that the threat actors were able to defeat MFA authentication protocols as part of a ‘pass-the-cookie’ attack in which attackers hijack an already authenticated session using stolen session cookies to log in to online services or web apps.”
They went onto explain further, “The agency also observed attackers using initial access gained after phishing employee credentials to phish other user accounts within the same organization by abusing what looked like the organization’s file hosting service to host their malicious attachments.”
The CISA report divulged that “In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.”
Poor Cybersecurity Practices is the Ultimate Culprit
The FBI has warned companies about scammers using auto-forwarding rules to breach email clients in a Business Email Compromise (BEC) attack.
CISA’s final determination is that even with the high-level skills of threat actors behind the Solar Winds attack, most of these incidents were due to “weak cyber hygiene practices,” which cannot overrule decent cybersecurity solutions.
The biggest threat to any organization is that one employee who clicks a link in a phishing email and then fills out a form on a malicious website using their company credentials to log in.
Although admittedly, the hacker group who attacked the SolarWinds supply chain was sophisticated, the weak link remains the employees and poor cybersecurity practices in place.
The number one item that should be on every corporate agenda is to educate employees about phishing attacks, cybersecurity best practices, and proper protocol. Just doing that could cut the number of successful hacking incidents by a huge percentage. Some of the items to cover with employees are:
Never click links or download attachments in email.
Never install software without authorization from the IT department or from untrusted sources.
Never, ever provide login details to anyone who asks for them.
Keep only long, strong passwords that do not have anything to do with your personal life, details, or preferences that someone could guess.
Limit sharing personal information online, especially on social media.
Always enable multi-factor authentication when possible.
Always be on the lookout for scams, fraud, and phishing.
Keep all devices updated with the latest security patches.
Install and run frequently good, reputable antivirus software.
The best way to stay safe is common sense. The more your staff knows how to protect their own logins and personal devices, the stronger the company will be as a whole.