The cloud access security broker Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 (O365) accounts.
The massive campaign leverages a low-key attack, started in May and is still continuing. Attackers are using a small botnet composed of 83 IP addresses across 63 networks, most of them registered in China. The attackers also used bots from 15 other countries, including Brazil, Russia, the US, and Malaysia.
Experts underscored the fact that the botnet attack KnockKnock was observed in targeted offensives.
“Skyhigh has detected an ingenious new botnet attack against Office 365 accounts, dubbed ‘KnockKnock’ because attackers are attempting to knock on backdoor system accounts to infiltrate entire O365 environments.” reads the analysis published by Skyhigh Networks. “One of the key distinctions of this new attack is the nature of the accounts that are being targeted. KnockKnock was designed to primarily attack system accounts that are not assigned to any one individual user, making them particularly vulnerable, as we’ll describe later.”
Attackers launched a slow and methodical attack trying to remain under the radar instead of carrying out a brute force attack against O365 accounts.
The attackers targeted only a very small proportion (typically <2%) of the O365 account base, and limited the number of attempts to 3-5 per account in order to go undetected.
Once the attackers take over an account, they snoop o any data in the inbox and then create a new inbox rule to hijack any incoming messages. This is the first stage of the attack against company networks, once compromised an account, the attackers start in-company phishing attempts for lateral movements.
Experts suggest attackers may tailor the payload based on the targeted organization “for a larger takeover over time”.
The threat actors behind the KnockKnock attack focused its attention of certain accounts such as system accounts rather than ordinary accounts because they tend to have high access privileges and poor protection.
“The system accounts that Skyhigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.” continues the analysis.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. And, most importantly, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. “
Skyhigh experts detected the KnockKnock attacks using its machine learning anomaly detection engine. The engine detected an increase in the number of anomalous accesses, experts spotted the malicious activity by correlating data from billions of 0365 events across hundreds of customers.
Skyhigh researchers confirmed that the KnockKnock attack targeted over 50 percent of their customers, it is likely that a large portion of large Office 365 customers is being attacked with this technique.
Experts noticed that none of 83 recognized IP addresses were already included on the lists of bad IP addresses, making this attack stealth in nature.
(Security Affairs – KnockKnock attack, Office 365)