Evolved Cloud Phishing Techniques Explained and Lessons Learned From Recent Dropbox & Uber Hack Cloud Computing gives phishers a new playground to harvest and grow their business. But not only that, the impacts are much broader and more dangerous. No organization, small or big, is invulnerable to phishing attacks. Therefore, it’s critical to learn how you might be targeted and what you can do to prevent it. SaaS-based phishing is already familiar. For example, over , from stolen credentials to malicious URLs. Also, according to a report from , researchers have seen a massive increase in this abuse, with the data collected by the firm showing an enormous expansion of 1,100% from June 2021 to June 2022. 90% of all data breaches are due to phishing Palo Alto Networks Unit 42 With more advancements in technology, not only can defenders leverage more sophisticated tools and techniques to detect and block phishing emails, links, and messages, but attackers are also improving on their side of the cat-and-mouse game. While most social engineering attacks are delivered by email, increased social engineering delivered via other communication platforms in 2022. one-third of IT professionals reported : These include attacks delivered via Video conferencing platforms (44%), Workforce messaging platforms (40%), Cloud-based file-sharing platforms (40%), and SMS (36%). Moreover, phishing on social media is increasingly common, and in Q1 2022, . According to report, employees at 74% of organizations have been sent fraudulent text messages (smishing), and the same percentage have been targeted on social media. LinkedIn users were targeted in 52% of all phishing attacks globally Proofpoint’s 2022 State of the Phish A Hard-to-Detect New Phishing Technique — SaaS-to-SaaS All these could happen without the attacker touching the victim’s on-prem computers/ network. Since it all happened SaaS-to-SaaS, all the existing security measures, such as Anti-Spam gateway, sandboxing, and URL filtering, will not inspect. Thus, no alert will be generated. Furthermore, with the rise of cloud office productivity and multi-user collaboration technologies, it is now possible for an attacker to of these reputable domains while remaining undetected. host and share malicious documents, files, and even malware on the cloud infrastructure Since , we saw the trend of using this “multi-stages” SaaS-to-SaaS phishing attack. the Check Point Research findings in 2020 The first stage of a phishing attack is This document can be downloaded; however, it is essential to note that to facilitate use, these cloud services open the PDF for viewing, allowing it to load in the web browser without restriction or warning. frequently a fake invoice or secure document PDF hosted on cloud services. It is hard to detect because it didn’t necessarily hit the protection deployed. As we saw on the news, as AWS Cloud Phishing attempts in , if phishing detection is implemented in the entrance and exit of emails, it will never see it happening. August All actions occurred in the Cloud (or multiple clouds); when the detection/ scanning took place, all things seemed legit and encrypted. Most likely, the phishing email will hit the victims’ machine, and all the magic will happen in the browser. Multi-stage Cloud Phishing Early this year, that prey upon those who don’t use multifactor authentication. Microsoft warned of new phishing leveraging Azure ADs This attack is thriving now but not before because attackers take advantage of via the capability of device registration using newly stolen credentials, and cloud authentication is accessible anytime, anywhere. the concept of BYOD (Bring-Your-Own-Device) Nothing out of the ordinary, it is a novel attack technique that combines traditional phishing with second-phase or even third-phase actions. The first stage steals an employee’s email like regular phishing attacks. Yet, instead of attacking the victim, the a new Office 365 account on a rogue device in the victim’s name. Once established on the new computer, the victim’s user account (and or this case, its Azure Ad) is used to send (disguised as the victim) within the company or to customers using the legitimate email account. second stage establishes internal phishing attacks If they want to gain more control or find a better “host,” they These multi-stage attacks appear legitimate and can even deploy malware on the company’s OneDrive or SharePoint systems. can find it via the first victim and then compromise the second account by internal phishing. ChatGPT (or Other AI) According to , phishing accounts for nearly 90% of malware attacks. But ChatGPT could make the whole situation even worse. Such intelligent 🧠 AI Chatbot can be . So the victim may not even know they are interacting with an AI. HP Wolf Security research a way to gather information through a human-like friendly chat https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away/?embedable=true demonstrating . Multiple scripts can be generated quickly, with variations. Complex attack processes can also be automated, using the LLMs APIs to generate other malicious artifacts. Check Point Research recently published an interesting article how AI models could create a full infection flow, from spear-phishing to reverse shell Another risk is more prominent. AI technology like ChatGPT will enable attackers to . For example, say generic phishing attacks send out millions of spam in the form of emails, SMS (in the case of smashing), and social media posts. But these are easy to spot, resulting in low yield. blend the volume of massive phishing with a targeted attack (or spear-phishing) With the addition of an AI Chatbot, millions of spear phishing messages could be generated in seconds. Thus, the attackers can have the best of both worlds. Therefore in 2023, we will probably see . It would be a tremendous challenge for security teams. some large-scale phishing that sends millions of unique messages generated within minutes Other Novel Phishing Techniques QRishing Attackers are now trying to deliver which makes them difficult to detect for most email security solutions. QRishing combines the words: “QR Codes” + “Phishing.” This indicates the attack is in the form of a QR code. It can potentially direct victims into connecting to an unsecured WiFi network while someone can easily capture what you are typing. malware links via QR codes embedded in emails, Some adversaries even stick malicious QR codes in restaurants or other public locations. Since the pandemic limits physical contact, QR codes are a popular tool for threat actors. We use it to access menus, check in for vaccines, and get public information. In addition, social engineering tactic is inserting fake QR codes into a phishing text (SMishing + QRishing) or social media platform. Upon scanning the malicious code, users are redirected to phishing sites, where the victim may be prompted to log in and steal their credentials. SMishing That means it is one kind of phishing sent across your mobile network in the form of text messages. Although the name uses SMS, this attack can happen on other messenger platforms, such as Facebook Messenger or WhatsApp. Common Smishing attempts to focus on everyday necessities. Missed deliveries, late payments, bank notifications, fines, and urgent notices are examples of smishing attacks. SMishing combines the words “phishing” and “SMS.” With so many people staying at home and so many daily online purchases, we’re awash in cardboard. It’s very challenging to keep track of everything coming into the house. Combining well-known delivery services with is the best recipe for a successful Smishing. fake “delivery fee” notifications Crown Jewel = Developer Accounts Why are threat actors trying to compromise developer accounts? And what can go wrong if they are stolen? Depending on the developer’s position, attackers gain access to nearly everything: SSH keys, API keys, Source Code, Production infrastructure, Access to CI/CD pipelines and, i.e., the works. Assuming a compromise with the “best scenario,” a junior engineer’s account might be stolen. At the very least, this engineer has “commit” access to the source code. On the other hand, suppose the organization does not follow the best practices of software engineering, such as code reviews and restricting who can commit to the main branch. In that case, the attacker can modify the organization’s source code to alter and infect the final product. In the worst-case scenario, which is also the most likely, the attacker will gain access to a senior developer with more permissions. This account could manually bypass some code checks, which will also have access to valuable resources (source code, SSH keys, secrets, credentials, API keys, CI/CD pipelines, and more). This scenario, where this kind of account is compromised, would be devastating for an organization. Developer accounts usually come with GitHub or other code repository access. Dropbox & Uber In September, Later, we discovered that the hack was related to Uber disclosed that hackers had stolen the personal information of about 57 million customers and drivers . obtained by a “ ” a hard-coded credential remote social engineering attack. In November, due to a phishing attack against its developers. They were lured into by a phishing email into a fake website, What makes these incidents scary is that this wasn’t just a random user from a business function; it was developers with privileged access to many Dropbox and Uber data. Dropbox had a security incident filling in their Github credentials despite multifactor authentication (MFA) in place. MFA Fatigue Both cases from these two giant tech companies implemented multifactor authentication. Still, hackers find a way to bypass or work around this measure that can prevent most credential theft. In the case of Uber, the hacker (allegedly a 17-year-old) was creative and came up with a low-tech but very effective method — The attacker attempts to log in repeatedly, sending a flood of push requests to users asking the victim to confirm a sign-in. Once the victim stopped clicking “no” on their phone, followed by an “authorized login,” thus, MFA failed. an “ ” MFA-fatigue attack. For the Dropbox case, which is much simpler. The phishing email purported to . Then the realistic-looking phishing site tricked the developer into typing the credential and the one-time password. Thus, MFA also failed. originate from the code integration and delivery platform, CircleCI Code Repo and More As we saw in these incidents, With the proper permissions, attackers can obtain intellectual property, source codes, and other sensitive data. GitHub and other platforms in the continuous integration/ continuous deployment (CI/ CD) pipeline space are the new “crown jewels” for many companies. But it doesn’t stop there, as GitHub often integrates with other platforms, which lets the allowed “users” go even further. In addition, developers’ accounts are usually granted access to the deepest level, as maintaining and developing the core application may be part of their job responsibility. That makes the developer account a crown jewel for attackers. How to Improve Your Phishing Defenses According to , the average organization receives dozens of phishing emails per day, with financial losses compounding as losses from malware and ransomware attacks drive up the average cost of landed phishing attacks year over year. Facing all the threats highlighted requires extra effort, and while you can’t eliminate the risk of phishing attacks, you can learn from observed trends and incidents to better manage them. industry statistics For example, here are the recommendations from : the recent Zscaler report Understand the risks to inform policy and technology decisions better Leverage automated tools and actionable intel to reduce phishing incidents Implement zero-trust architectures to limit the blast radius of successful attacks Deliver timely training to build security awareness and promote user reporting Simulate phishing attacks to identify gaps in your program Apart from the five basic mitigations of phishing attacks, we can do more. Therefore, I will end this article with tips you can bring along. , having a greater extent of cyber-resilience would be an excellent way to begin. Knowing that phishers will eventually find a way to get to you Tips #1: Multi-layered phishing defenses approach Typical email security against phishing often relies exclusively on a single guard point, such as email gateways and endpoint/ mobile agents. Everything passing through that gate would depend on users being able to spot phishing messages. Not to mention attackers are now sharpening their weapons with multi-stage phishing. Conversely, Moreover, there would be multiple chances to detect and catch a phishing email. a layered defense approach could improve cyber-resilience without disrupting business productivity. Reach — Prevent the email from reaching the user’s inbox. This can be achieved by introducing anti-phishing security software such as spam filters. In addition, anti-spoofing controls should be implemented, such as; DMARC, DKIM, and SPF records. Identify — Most data breaches are initiated through a phishing email due to human error. Therefore, staff should have regular training in identifying the latest potential phishing emails. This will enable them to follow the company process when an incident does occur, which should include reporting the incident to the relevant team. Protect — Protections should be in place for when incidents do occur. These protections include but are not limited to; enforcing multifactor authentication (MFA), password managers, regular IT health checks, and endpoint defenses. Response — Staff should be able to report phishing incidents to the relevant team. A dedicated security logging and the alarming system should be in place, as well as an Incident Response Plan. Even though some attacks get through, this approach will help with incident response and minimize the impact. Tips #2: Just-in-time (JIT) Access Approach Privilege access entails a significant danger, claims . The risk posed by users with standing privileges persists even with PAM tools, and it is considerable. They suggest just-in-time (JIT) solutions be used by identity and access management (IAM) leaders to finally achieve a posture of no standing privileges. Gartner also provided a solution to counter it — The Just-in-Time approach. For example, when developers use these credentials to set up or modify production resources, granting them the appropriate permissions is crucial, with only the capabilities required to complete specified tasks. Gartner The JIT approach, which deals with information security, only gives users access to privileged resources while working. This reduces the attack surface and eliminates the risk brought on by persistently held-over privileges. Tips #3: Review Mailbox Forwarding Threat actors use compromised accounts not only to steal internal data but also, for example: Read users’ emails, Distribute malware, Spamming, Learn about the user and to further launch second-stage phishing, and Forwarding emails to external recipients. Attackers may set up email rules to conceal their malicious activities from the user to hide incoming emails in the compromised user mailbox. They may also create rules in the compromised user mailbox to delete emails, move them to a less visible folder, such as an RSS folder, or forward emails to an external account. Emails can be manually or automatically forwarded using forwarding rules. Automatic forwarding can be accomplished in various ways, including While manual forwarding requires users to take direct action, they may need to be aware of all auto-forwarded emails. Inbox Rules, Exchange Transport Rules (ETR), and SMTP Forwarding. It would be wise to schedule a review of all email forwarding rules to external addresses and check that it is not an unusual IP address and corresponds to the user’s usual activities. Final Words as long as the human factor is in the formula. As a result, the best we can do for the long term is It would be a much more granular design of the multi-layered defense approach. The reality is that no one can stop phishing entirely to adopt Zero Trust Architecture for email security. A Zero Trust approach to email can assist organizations in defending against email impersonation attacks by — ensuring that emails entering the corporate environment or landing in end users’ inboxes are from legitimate individuals, brands, and domains. focusing on Authentication (Verifying User/ Device Trust) https://hackernoon.com/introduction-to-the-zero-trust-security-architecture-a-concept-not-a-product?embedable=true A privileged position exists for software developers in every technical organization. They are the lynch-pin in any modern company because of their upstream access to the products distributed to clients and their access to production systems and infrastructure. The security organization would fail if developers weren’t protected, leading to catastrophe. If you, unfortunately, fall for a phishing attack, please do the followings: Contact the IT department and let them know the situation Reset password for related applications Please don’t use a repeated password. Instead, reset the account with the same password as the applications above. Monitor the account with care for 30 days Finally, NIST developed a method to help the security team to see why users click on the phishing email: https://www.nist.gov/news-events/news/2020/09/phish-scale-nist-developed-method-helps-it-staff-see-why-users-click?embedable=true Thank you for reading. May InfoSec be with you🖖.

This story contains new, firsthand information uncovered by the writer.

Cyber-Resilience On the Cloud by Adopting Digital Immune System and CNAPP

How to Use Zero Trust Framework for  API Security

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Cloud Phishing: New Tricks and the Crown Jewel

Cloud Phishing: New Tricks and the Crown Jewel

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps