What is the threat?
Researchers from Proofpoint recently observed over one hundred thousand unauthorized logins across millions of Office 365 and Google Suite cloud users. These illegitimate brute force attacks utilize the Internet Message Access Protocol (IMAP) which bypasses multi-factor authentication (MFA) and out of what was observed, approximately 25% of users experienced a successful breach. With accounts having been breached and their credentials effectively stolen, internal phishing attacks were then conducted to disseminate malware throughout business’ networks.
Why is this noteworthy?
MFA is a very highly recommended security practice that businesses and individuals should employ with accounts, especially cloud-based ones. But MFA hardly protects against IMAP-Based attacks. And as an aside, most attacker logins have been observed originating from Nigerian and Chinese IP addresses, and major sources of successful attacks have occurred in the United States. Between September 2018 and February 2019, high volumes of these attacks abusing IMAP were conducted mainly because of an 87 GB collection of 773 million unique credentials that was found being promoted on an online hacking forum. The group of credentials, appropriately referred to as “Collection #1” was also only a small part of a much larger 993 GB credential database which was available for just $45. With so many individuals’ credentials accessible to communities of potentially malicious actors and a typically-secure practice such as MFA not serving well in terms of defense, successful network breaches and internal phishing attacks are nigh inevitable.
What is the exposure or risk?
Phishing attacks are efficient attack vectors which malicious parties utilize in order to negatively impact businesses and individuals. What the specific routing of attack that this report proves is that threat actors are growing more and more refined when it comes to conducting cyber-attacks. Leveraging brute force methods, utilizing credential dumps, and then ultimately carrying out internal phishing attacks can lead to confidential data being stolen, cloud application accounts being totally compromised, and much more collateral damage.
What can you do?
It is generally recommended that organizations implement layered and intelligent security measures to ultimately combat the ever-growing online hacking communities. Educating users and artificially raising their awareness of cyber-security practices is also heavily suggested. And considering that this overall threat involves successful phishing attempts, users would do well to be mindful of suspicious attachments and contents presented via emails, regardless of whether they originate internally or not.
References:
For more in-depth information about the recommendations, please visit the following link:
- https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols
- https://www.securityweek.com/hackers-bypass-mfa-cloud-accounts-imap-protocol
- https://www.bleepingcomputer.com/news/security/multi-factor-auth-bypassed-in-office-365-and-g-suite-imap-attacks/
If you have any questions, please contact our Secure Intelligence Center.