As cloud-based services become the key to many business activities, hackers are refocusing their target.
As Microsoft’s Office 365 usage grows – including services such as Exchange, Teams, SharePoint, OneDrive and more – the sheer amount of data stored in the cloud appears to be a tempting target for some of the world’s most advanced hacking operations, according to cybersecurity researchers at FireEye Mandiant.
“The amount of data in Office 365 is just huge, and attackers are clearly interested in data. But they now also have access to that data from virtually anywhere in the world,” Doug Bientock, chief counsel at Mandiant, told ZDNet ahead of the investigation. presented at the virtual security conference Black Hat USA.
It often doesn’t cost hackers much to compromise the networks of organizations they target; it is possible to retrieve lists of employee email addresses from a company, and attackers will try to use brute-force attacks to crack common or weak passwords. It doesn’t even have to be a spear-phishing attack. However, some attacks are significantly more sophisticated.
“The attacker takes that valid login credentials, logs into the VPN, and they move across the network with the intention of escalating their privileges to a global administrator account for Office 365,” Josh Madeley, chief counsel at Madiant and co-author of the presentation, told ZDNet.
It is believed that a significant majority of – if not all – state-backed advanced persistent threat (APT) groups are interested in deploying these types of attacks, but one that certainly has is APT35, a hacking operation operating from Iran, which Madeley described as “notorious” for abusing cloud services to gain access to the sensitive information it wants to see.
“They get access to your Office 365 environment, and then use the security tools to search the contents of every mailbox, every Teams chat, every SharePoint document,” he explains.
From there, APT35 searches for credentials that give them access to other departments, even other companies, and wherever they can extract sensitive information.
The hackers are not trying to exploit weakness in Office 365; simply the way it has become a core part of a company’s IT infrastructure makes it an attractive target. But the way businesses and users secure Office 365 can be improved to protect you from these types of attacks. The first step organizations can take to prevent attacks is to ensure that no ordinary, easy-to-guess passwords are used.
Organizations also need to ensure that multi-factor authentication is applied to as many employee accounts as possible, so in case a password is stolen or stranded, there’s an additional layer of defense to stop attacks.
“The two most important things we recommend are turning on multi-factor and doing it intelligently with as few exceptions as possible. So everyone in the organization and every application needs to apply multi-factor – and think how often you want to do that,” Bienstock said.
It is also recommended that organizations take the time to understand the activity on their network so that it is possible to detect and stop suspicious activity before it can cause significant damage.
“Office 365 provides good security by default, but if you want to protect against APTs, you need to take some time and effort to understand the logs and build robust monitoring so you can see that something is happening when you shouldn’t. “so you can cut them off,” he said.