Cyber Bulletin – October 2022
“Side door” infiltration through users replicating their credentials on external websites.
This bulletin uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 11. See the ATT&CK for Enterprise framework for all referenced threat actor techniques, mitigations, and detections.
The Macquarie Government Security Operations Centre has identified an increase in attacks using domain credentials stored on external websites.
Government employees and contractors may use these sites for legitimate work use (e.g.: to order stationary) but inadvertently create vulnerabilities by using their agency domain email address and password.
These systems typically do not have the same level of cybersecurity protection or IAM integration as an agency’s internal and official cloud platforms, making them an easy target for attackers to compromise and gain victim identity information, including credentials [T1589.001].
Once compromised, threat actors will use the stolen domain account credentials to gain access to agency platforms [T1078.002]. If multi-factor authentication is enabled, they will attempt brute-forcing through “MFA fatigue” by “push spamming” – continuously requesting confirmation in the hope the user accidentally approves [T1621].
To reduce the risk of this attack, Macquarie Government recommends agencies consider the following:
- Increase user awareness of external website password hygiene training [M1017].
- Deploy a cloud access security broker (CASB) that includes a reputation filter and can be configured to alert if a cloud app behaves suspiciously [DS002]. Macquarie Government provides CASB as part of our Security Services Edge service.
- Monitor for MFA “spamming” (e.g.: Azure event ID 50074) [DS0015]
- Limit the maximum MFA push notifications in short time periods [M1032].
- Be notified of leaked credentials from data breaches or suspicious social media activity linked to your agency [DS0021]. Macquarie Government conducts searches of compromised customer credentials as part of our Threat Intelligence Services.