Forgotten Office 365 accounts targeted by stealthy attack campaign

Video: Why does Locky ransomware keep coming back from the dead?
Crooks are targeting admin and systems accounts — often automated and ignored, not protected by two-factor authentication and secured with poor passwords — to gain access to corporate Office 365 email accounts for phishing, data-theft, and more.
Dubbed KnockKnock because attackers are attempting to knock on backdoor system accounts to infiltrate Office 365 environments, the attacks have been ongoing since May and have targeted organisations in manufacturing, financial services, healthcare, consumer products, and the US public sector.

Tech Pro Research
IT leader’s guide to the threat of fileless malware
Network security policy
EHS文化的建立从针对全员的意识教育培训开始
Lunch and learn: BYOD rules and responsibilities
Guidelines for building security policies
Security awareness and training policy
By targeting systems accounts which may not be actively used on a regular basis rather than those of individual users, the attackers hope to fly under the radar. These accounts are often Exchange Online accounts, which by Microsoft’s own definition fall into the category of Office 365 accounts.
The attackers also attempt to lay low by only targeting a small number of accounts, which they attempt to breach three to five times in order to avoid detection by security software before moving on to attack another organisation.
Uncovered by researchers at Skyhigh Networks, the KnockKnock botnet is also relatively small, distributed by just 83 IP addresses across 63 networks.
The targeted administrative accounts are commonly used to integrate corporate email systems with marketing and sales automation software. What makes those appealing to attackers is the fact that these systems accounts tend to have higher access and privileges than an average account.
See also: What is phishing? How to protect yourself from scam emails and more
And given they’re usually automated, it’s much less likely they will feature two-factor authentication and can even be subject to poor passwords, given the account will likely need to be shared within the corporate environment. Ultimately, KnockKnock looks to exploit both of these factors in an effort to breach the target network.
Once KnockKnock gains access to an enterprise system account — the attackers simply attempt to guess the password, which for these accounts, often isn’t complex — the attack is designed to exfiltrate any data in the inbox deemed to be of value.
政府官员和军方人士的个人信息是网络犯罪分子的主要窃取目标,因为这类信息可以被用于对存有机密文件的电脑发动有针对性的攻击。
It also creates a new inbox rule to hide and divert incoming messages. It will then use phishing attacks to propagate the infection around an infected enterprise using the now-hacked systems inbox.
Researchers say that the slow-moving and stealthy nature of the attack means it can go on for some time before being noticed.
KnockKnock is still ongoing, although the number of attacks has dropped since June and August. While researchers haven’t been able to identify the threat actor behind the campaign — the IP addresses of the hacked devices used to run it don’t appear on any lists of known botnets or bad actor IP addresses — they note that around 90 percent of login attempts come from China.
However, attackers could easily change or re-route IP addresses in order to cover their tracks, so it’s impossible to say for certain that the attacks originated from China.
ZDNet contacted Microsoft for comment, but at the time of publication hadn’t received a reply.Researchers have named the attack technique ‘KnockKnock’ after how it knocks on the backdoor of systems.
Image: iStock
Previous and related coverageThis malware just got more powerful by adding the WannaCry trick to its arsenal
The Retefe banking trojan is now using the EternalBlue exploit that helped spread WannaCry to make attacks more effective.
IT leader’s guide to reducing insider security threats [Tech Pro Research]
Insider threats can pose even greater risks to company data than those associated with external attacks.
New Trojan malware campaign sends users to fake banking site that looks just like the real thing
Trickbot is now redirecting to a counterfeit site that displays the correct URL and the digital certificate of its genuine equivalent.
READ MORE ON CYBER CRIMEHackers reveal leading enterprise security blind spotsBefore building a smart home, heed these warnings [CNET]This sneaky phishing attack hijacks your chats to spread malwareBotnets: Inside the race to stop the most powerful weapon on the internetHow to prevent phishing attacks in Microsoft Outlook and Office 365 [TechRepublic]
一切与人相关的事物皆可作为攻防的参考:事物为形,攻防为意,培训为授,掌握为悟。不光传统武术拟形的龙蛇虎鹤豹如此,信息安全攻防又何尝不是呢?

猜您喜欢

SAP执行董事会成员傅美黛:成功没有性别
中国淘金人海外恶运带来的国际风险控管警示
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
左手游戏,右手教育,谁是最赚钱的教育概念股 | 蓝鲸解析
BFRF MOONSIGHTING
安全月员工安全意识教育宣传活动需要有新的故事