Office 365, G Suite Cloud Accounts Hacked Using IMAP Protocol
Hackers are now using IMAP protocol to hack Office 365 and G Suite cloud accounts, bypassing multi-factor authentication; and these kinds of attacks are difficult to protect against, according to a recent research study.
A six-month study by researchers at security firm Proofpoint reveals this and other findings. The team observed massive attacks that leveraged legacy protocols and credential dumps and thus executed brute force attacks with greater speed and effectiveness.
A blog post dated March 14, 2019, by the Proofpoint Information Protection Research Team explains the findings in detail. The post says, “In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable.”
The research team has also found that a new approach has been brought to traditional password spraying through intelligent brute force attacks that employ common variations of usernames and passwords that are exposed in large credentials dumps. There are also many sophisticated phishing scams that trick people into revealing authentication credentials, which would help hackers find additional avenues to access corporate accounts.
The researchers, who analyzed more than one hundred thousand unauthorized logins across millions of cloud user accounts, made some notable findings. They found that 72 percent of tenants were targeted at least once by hackers and that 40 percent had at least one compromised account in their environment. They found that more than 2 percent of active user-accounts were targeted by threat actors and 15 out of every 10,000 active user accounts were successfully breached.
The primary aim of the hackers is mostly to launch internal phishing and thus establish a foothold within an organization’s network via internal phishing and internal BEC. Such attacks are harder to detect compared to external phishing attempts. Moreover, the hackers also leverage these trusted user accounts or brands to launch external attacks and they use the infrastructure for broader attack campaigns.
The Proofpoint researchers found that most login attempts (almost 40% of all successful hacking) had originated from Nigerian IP addresses. Chinese IP addresses came next, with 26 percent of successful breaches while the other major sources of successful breaches were the U.S, Brazil and South Africa. The analysis also found that successful brute force and phishing-related attacks involving Nigerian IP addresses increased by 65% between November 2018 and January 2019. These attacks did not always involve Nigerian hackers, but recent activity and arrests show that cybercrime is widespread in the region.
The Proofpoint study showed that IMAP was the most abused protocol. Since these attacks avoid account lock-out and look like isolated failed login attempts, they go unnoticed. The team found that almost 60% of Office 365 and G Suite tenants were targeted with password-spraying attacks that were IMAP-based. Thus, almost 25 percent of Office 365 and G Suite tenants experienced successful breaches. Moreover, when it came to breaching an account at a targeted organization, hackers achieved a 44 percent success rate.
The study by Proofpoint also found that IMAP-based password-spraying attacks, especially those targeting high-value users (like executives and their administrative assistants) appeared in high volumes between September 2018 and February 2019. Hackers targeted, on an average, 10 percent of active user-accounts in targeted tenants, and 1 percent of the targeted user-accounts ended up being successfully breached.
The Proofpoint blog post says, “Attackers utilized thousands of hijacked network devices around the world — primarily vulnerable routers and servers — as operational attack platforms. These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period.”
“Most IMAP-based attacks originated in China, representing 53% of all successful malicious efforts, followed by attacks from Brazilian IP addresses (39%), and US infrastructure (31%). Note that attacks often originated from multiple geographies and, as is often the case, it is important not to assume a consistent, direct correlation between the origin of attacks and the nationality of the threat actors carrying them out,” adds the blog post by the Proofpoint team.
The blog post also explains how internal phishing attacks work. The hackers use compromised cloud accounts to send internal phishing email, for lateral movements. They also use anonymization services, like VPNs or Tor nodes, in order to hide their geo-location.
Coming to the sectors that are targeted most, the Proofpoint blog post says, “Although organizations of all sectors were targeted by attackers, as with password-spraying attacks the education sector is also the most vulnerable to phishing-related attacks. 15% of successful attacks affect educational institutions’ users, especially university and high school students…Other targeted industries include retail, finance, and technology.”
“In certain cases, attackers target corporations’ payroll systems to reroute employee paychecks and access financial documents. Consistently, title-holders such as sales representatives, general managers, commercial franchisees, project managers, and account executives are targeted and are highly susceptible to phishing-related breaches,” the blog post further adds.
Julia Sowells958 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.