Nothing is all good or all bad, however, suspicious user activity cannot be good. This is the story of an organization that had heavily relied on two-factor authentication and had later discovered that every security system has its flaws.
Two-factor authentication (also known as 2FA) is a great identity and access management security tool which is used as an extra layer of protection. It is used to ensure account security, beyond just a username and password. This fact led organizations to believe that they can avoid monitoring user identity and login security controls (i.e., logins from unusual or unknown devices and geolocations). However, it is important to note that in some dynamic environments, these controls may generate many alerts, and therefore cause alert fatigue, with a higher risk of false positives.
In the late evening hours on a Friday, our IR Team was contacted by an organization, working in the health sector, regarding suspicious activity that they had observed coming from one of their employees’ accounts. Users within the organization had noticed that this specific user account was distributing numerous suspicious emails. Once approached, the employee confirmed they did not conduct this activity.
The organization claimed that one of the employee’s devices was most likely compromised, and the attacker, who had stolen the employee’s credentials off the compromised device, was using the credentials to access the account and to distribute malicious emails. The organization also claimed that they have applied and relied on two-factor authentication for all their employees, which cannot be bypassed.
From our experience, most cyberattacks that occur in the mailbox level usually start off with stolen credentials from phishing campaigns, (i.e., a phishing website impersonating a company login page, asking for the user’s password). Moreover, more sophisticated attacks attempt to use the Legacy Auth protocols to bypass two-factor authentication (in case no enforcement is set via conditional access). Subsequently, in the initial investigation stage, the investigation focused on User Identity to reduce any possibility of stolen credentials.
Since the organization has not been monitoring login events, our investigation began in the O365 Unified Azure Login events, as we sought to monitor login events from unusual geolocations, focusing on hostile nations (Russia, China, Iran, North Korea, etc.).
The investigation revealed that the user was connected several times from different IP addresses, including addresses related to NordVPN and an address from Nigeria (a country known for cyber attackers who specialize in fraud and scams through email channels).
Once we had enough data to prove that the user’s credentials had indeed been stolen, the organization was advised to perform a few initial remediations such as requesting the user to change their password. Then, the organization was advised to revoke the user’s session and block the IP via conditional access.
The next steps of the investigation focused on answering the question of how the initial access was performed while two-factor authentication was applied and active. As in, how did the attacker bypass two-factor authentication?
During our review of the user’s profile in Azure, and the user’s two-factor authentication configuration on the compromised device, we found that the user had two mobile numbers from different countries linked to the device. Looking at the numbers’ prefixes, one was from the user’s country of origin, and the other was from the United States.
The user claimed that they did not recognize the US number, and thus, we had concluded that the attacker has gained access to the account and linked their mobile number to the two-factor authentication set on the device. This way, the attacker could return to the account whenever they please, almost like a backdoor.
At this point, we were trying to understand how the attacker made the initial login attempt and how they linked the two-factor authentication to their mobile device. To answer this question, we needed to know the exact date the organization set up two-factor authentication.
It turns out that the organization set up two-factor authentication two months prior to the incident. The organization sent out an email to their employees with a guide explaining how to register and set up two-factor authentication on their devices. Then, a week later, the organization changed the conditional access policy to enforce two-factor authentication for all users.
After receiving these details, our goal was to discover when the user was first seen connecting with two-factor authentication from an unusual IP address. To do that, we had to find a system within the network that keeps event logs for more than 60 days. Later, we discovered that the corporate SIEM system saves logs dating six months back and collects the unified event logs from the O365 Portal.
When we began our review of the logs, we were skeptical that we would find any unusual login events from 60 days prior, but thankfully, we found multiple suspicious login events from over 90 days prior to the incident!
These findings led us to believe that the attack was carried out as follows:
An unknown attacker has gained access to one of the organization’s mailboxes by conducting credential theft (at that point in time, two-factor authentication was not applied by the organization)
While searching for a potential victim for the attack, the attacker had come across the organization’s email regarding the two-factor authentication set up
Of course, the attacker took advantage of this opportunity and linked the two-factor authentication to their own device
The organization enforced two-factor authentication for all employees, however, the attacker was still able to keep their foothold since they had already linked their device
The attacker waited approximately 100 days, and then proceeded to send malicious emails to numerous employees, internally
Ultimately, the attacker conducted an internal phishing campaign, targeting internal mailboxes and stealing additional credentials. And, following this attack flow, we decided to review the user’s browsing history on the compromised device. Doing so, led us to find a URL to a phishing site.
Finally, all details revolving the investigation were shared with the organization, including additional recommendations for mitigation, which included the removal of the attacker’s phone number from the device, and blocking the state of Nigeria in conditional access.
An important recommendation in this case, was to verify all mobile numbers that were linked to the accounts in the organization, and this way, ensure that they are indeed correct/verified and relate to the employees. This way, the organization can eliminate suspicion of additional compromised accounts. And finally, to perform a risk assessment for the data leaked and reviewed by the attacker.
Once fulfilling and completing the recommendations and mitigations, the incident was declared as fully mitigated with no additional users identified at risk.
The following incident comes to show the importance of applying multiple security layers and monitoring controls for an organization’s user identities and assets. Also, plenty times the level of security in an organization will depend on the most exposed and vulnerable part of the chain, which is the identities (users) themselves, which attackers try to exploit sooner rather than later.
