Introduction
When we introduced the first true MDR for the cloud in 2022, it revolutionized our approach to cloud security. After more than a year of experience, our Security Operations Center (SOC) team consistently encountered five common cyberattack types:
- MFA vulnerabilities and bypass tactics
- Malicious use of RSS and External Forwarding Rules
- Conditional Access Geoblocking bypass via proxy or VPN logins
- Exploitation of legacy authentication methods
- Logins from Suspicious User Agent
Continue reading to take a closer look at each of these tactics. For in-depth mitigation steps, check out our correlating eBook! Cloud security threats are persistent, and threat actors both innovate and utilize reliable techniques. Heighten your awareness now!
1. The Lack of MFA and MFA Bypass
Multifactor authentication (MFA) is a security measure that follows traditional username and password prompts. This added step requires users to supply another means of identification, whether it’s something they know (i.e., security question), are (i.e., thumbprint), or have (i.e., hardware key).
If MFA isn’t present, you may be susceptible to brute force attacks, phishing attacks, or credential stuffing. Even with MFA present, you may unfortunately fall victim to stolen browser tokens, intercepted MFA prompts, alert fatigue, or social engineering tactics. Regardless, it is better to have MFA than to not.
2. RSS and External Forwarding Rules
Really Simple Syndication (RSS) feeds are a way to distribute regularly updated content from websites using XML to structure the content. Threat actors can use malicious RSS feeds to distribute malware or phishing links, and to exfiltrate data without directly interacting with the environment. Meanwhile, external forwarding rules allow emails to be automatically forwarded to an email address outside the originating organization’s domain.
3. Logins from Proxy or VPN to Bypass Conditional Access Geoblocking
Conditional Access Geoblocking is a security feature that allows organizations to restrict access to cloud resources based on the geographical location of the user. Threat actors may try to bypass these geoblocking restrictions by using proxies or VPNs. Proxies and VPNs can hide the true origin of a user’s requests, thus playing a significant role in circumventing geoblocking measures.
4. Legacy Authentication
Legacy authentication refers to older, less secure methods of user authentication that don’t support MFA or conditional access. They often solely rely on a username and password. These less secure methods lead to increased vulnerability when it comes to credential attacks. In addition, they often lack context such as the user’s location, device, or behavior. Without added security measures and context, it makes it much easier for threat actors to make their way into an environment.
5. Logins from Suspicious User Agents
User agents are pieces of information that web browsers or applications send to identify themselves when connecting to a server. A suspicious user agent typically refers to an unusual or unknown one that isn’t commonly associated with legitimate users or known devices. Logging in from suspicious or unrecognized user agents can be a red flag for malicious activity and may include scripts pretending to be legitimate browsers.
In Conclusion
The cloud has inevitably shifted the threat landscape, presenting new, unique challenges and vulnerabilities that businesses must address. Our experience over the past year underscores the importance of safeguarding against these five primary cloud security threats. It’s imperative that Managed Service Providers (MSPs), alongside their clients, remain agile, continuously improving their security strategies.
To learn how to do so, head to our eBook, Top Five Cloud Security Threats: A Closer Look at the SOC’s Common Cloud Responses, today.