The COVID-19 pandemic has pushed companies to adapt to new government-mandated restrictions on workforce movement around the world. The immediate response has been a rapid adoption and integration of cloud services, particularly cloud-based tools such as Microsoft Office 365, Slack and other video conferencing platforms like Zoom.
A new report by security firm McAfee shows that hackers are responding to this mass migration to these platforms with an increased focus on abusing cloud account credentials.
After analyzing cloud usage data that was collected between January and April, from over 30-million enterprise users of its MVISION cloud security monitoring platform, the company estimates a 50% growth in adoption of cloud services across all industries.
Some industries, however, saw a much bigger spike–for example manufacturing with 144% and education with 114%.
The use rate of certain collaboration and videoconferencing tools has been particularly high. Cisco Webex usage has increased by 600%, Zoom by 350%, Microsoft Teams by 300% and Slack by 200%. Again, manufacturing and education ranked at the top.
While this rise in the adoption of cloud services is understandable and, some would argue, a good thing for productivity in light of the forced work-from-home situation, it has also introduced security risks. McAfee’s data shows that traffic from unmanaged devices to enterprise cloud accounts doubled.[Tweet “While the rise in the adoption of cloud services is understandable and a good thing for productivity in light of the forced work-from-home situation, it has also introduced security risks.”]
“There’s no way to recover sensitive data from an unmanaged device, so this increased access could result in data loss events if security teams aren’t controlling cloud access by device type,” states McAfee.
Cloud threats increase
CSO writes that attackers have taken notice of this rapid adoption of cloud services and are trying to exploit the situation. McAfee reports that the number of external threats targeting cloud services increased by 630% over the same period, with the greatest concentration on collaboration platforms.
In the report, McAfee split suspicious login attempts and access into two categories: excessive usage from anomalous location and suspicious superhuman. Both have seen a similar surge and growth pattern over the time period analyzed.
In terms of excessive usage from anomalous locations, this category is for successful logins from locations that are unusual given the organization’s profile, followed by the user accessing large quantities of data or performing a high number of privileged tasks.
In terms of the suspicious superhuman category, this is for logins by the same user from two geographically distant locations over a short period of time – for example, if the same user logs into one service from one country and then minutes later access service while using an IP address from a different country.
The top ten sources for external attacks against enterprise cloud accounts by IP address location have been Thailand, USA, China, India, Brazil, Russia, Laos, Mexico, New Caledonia and Vietnam.
“Many of these attacks are likely opportunistic, essentially ‘spraying’ cloud accounts with access attempts using stolen credentials,” the McAfee researchers said. “However, several prominent industries are often targeted by external threat actors–in particular, financial services. These targeted attacks are often found to have a source in either China, Iran or Russia.”
Credential Stuffing attacks on the rise
The frequency of credential stuffing attacks, where criminals use lists of leaked or stolen username and password combinations to gain access to accounts, has grown significantly in recent years. Often the used credentials come from third-party data breaches and the attackers attempt to exploit the bad but still common practice of password reuse.
In a report released this year, security and content delivery company Akamai revealed that it observed 85.4 billion credential abuse attacks against organizations worldwide between December 2017 and November 2019. Of those, 473 million attacks targeted the financial sector.
Edited by Luis Monzon