This year, there has been a spate of cloud-based token theft. These tokens are issued by identity and access management services such as Azure Active Directory (AD), and they contain sensitive information like usernames, source IP addresses, MFA, and corporate account permissions. These tokens are the backbone of how your employees access company resources - both in the office and at home. And they are growing increasingly vulnerable to two types of exploitative techniques: adversary-in-the-middle (AitM) and pass-the-cookie attacks.
Cloud tokens provide the proverbial keys to the corporate kingdom. Under normal circumstances, they allow your users to access a whole suite of company applications, confidential data, and PII such as customer information. Most companies recognize the importance of identity verification tools such as multi-factor authentication (MFA) and require a successful MFA submission before a token is successfully issued. In a perfect world, even if a malicious actor manages to scrape an employee’s credentials, MFA provides a second line of defense that prevents them from accessing the full cloud token. Unfortunately, these cloud tokens are increasingly vulnerable to attacks that bypass the MFA process.
Common Attack Types
As mentioned above, there are two main avenues for token theft: adversary-in-the-middle (AitM) frameworks and pass-the-cookie attacks. The first, AitM attacks, occur when a bad actor attempts to harvest user credentials through a phishing email and malicious site. If the target engages with the phishing email and provides their credentials through the site, they may be prompted to respond to an MFA notification. Upon completing the MFA, the perpetrator would have access to both the original user credentials and identity token. Depending on the user permissions of the targeted individual, the attacker may choose to implement a secondary scheme such as a Business Email Compromise (BEC) to a full-fledged administrative takeover. These secondary attacks can cripple businesses by targeting their customers, shutting down operations, and leading to major industry fines.
The second major category are pass-the-cookie attacks, which involve browser cookies that have been compromised by cybercriminals. Typically, a target will provide their credentials via a malicious site, after which a cookie is created and stored for that session. If a cybercriminal is able to compromise their personal or corporate account they can use that stored cookie to access the target’s token. This is an even greater concern for personal accounts, which tend to have fewer security measures than corporate ones. If your employees are working from home, a compromised browser means that both their personal and business cookies would be subject to exploitation.
These types of compromise were central in bringing down Equifax in the company’s 2017 data breach. The company suffered a massive breach that resulted in the leak of 150 million client accounts. Equifax failed to patch a known vulnerability in their website, and failed to implement HTTPS on their mobile application. Hackers were able to exploit these vulnerabilities to intercept Equifax users as they accessed their accounts.
How to Detect and Prevent Compromised Tokens
With this in mind, how exactly can you protect your company and data from falling into the wrong hands. We’ll explore three strategies: prevention, detection, and response. First, the most important thing you can do is focus on avoiding token theft through the following:
If you suspect a token has been stolen, there are a few things your IT team can look for. First, if a token has been stolen, it will be replayed when the attacker attempts to use it to access your company data. When this replay happens, your system may flag an anomalous alert. Both Azure AD Identity Protection and Microsoft Defender for Cloud Apps can flag these events. If your security team is using a more comprehensive security framework, such as MITRE ATT&CK, the elements therein may help your team identify suspicious behavior. For example, MITRE ATT&CK can help your team identify standard indicators of compromise, map threat lifecycles, and pinpoint cyber kill chain concepts.
In the unfortunate event a user token is compromised, there are a few things your security team will want to address.
User tokens play a vital role in your company’s daily operations, and it’s essential you keep them safe. If you’re using Azure Active Directory, or any other user management solutions, our cyber experts can help. Reach out to iCorps for more information about identity solutions today, and request a free IT consultation.