Bekker's Blog

Blog archive

Office 365-Focused Botnet Puts Spotlight on Security of System Accounts

The recent discovery of a botnet aimed at Office 365 customers puts a spotlight on a commonly overlooked category of system accounts.

Skyhigh Networks this month reported a botnet it dubbed "KnockKnock" that it discovered several weeks ago. Active since at least May, and especially active from June through August, the relatively small botnet seems to have been highly targeted in both the types of accounts it attacked and the types of organizations it went after.

"The reason this is interesting is not that a botnet is trying to get into accounts, but the fact that it is trying to get into system accounts," said Sekhar Sarukkai, chief scientist at Skyhigh Networks, in an interview.

What the attack does, according to Skyhigh's description, is go after the system accounts that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts were compromised, KnockKnock exported data from the inbox, created a new inbox rule and began a phishing attack from the account against the rest of the organization.

Skyhigh picked up evidence of the botnet through its Cloud Access Security Broker (CASB) Threat Protection engine when the company's customers were attacked. Skyhigh says the traffic came from 63 networks and 83 IP addresses, with 90 percent of traffic coming from IP addresses in China. In all, the attacks came from 16 countries.

The attacks averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific -- aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

"It just seems like it's orchestrated in a controlled manner, rather than a free-for-all, get-what-you-can kind of campaign," he said.

Sarukkai said that what is helping the effectiveness of the attack is that non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. "Once these accounts have been provisioned, they're really sort of forgotten," he said. "I think these actors have a pretty good understanding of the weakest link in Office 365 and in general the security infrastructure -- almost like the hidden weakness."

Posted by Scott Bekker on October 12, 2017 at 12:28 PM


Featured

  • Microsoft Adds Privileged Identity Management Delegation to Azure Lighthouse

    The commercial release of Privileged Identity Management (PIM)-enabled Azure Lighthouse delegations is now available, Microsoft on Monday announced.

  • Microsoft Commercially Releases Entra Workload Identities

    Microsoft announced on Monday that its Entra Workload Identities service is now available as a commercial product offering, having reached the "general availability" stage.

  • The 2022 Microsoft Product Roadmap

    Microsoft has a lot in the docket for 2022, including new products like SQL Server 2022, Exchange Subscription Edition and Visual Studio 2022 for Mac.

  • OpenSSF Adopts Microsoft Open Source Software Security Guidelines

    The Open Source Security Foundation (OpenSSF) announced on Wednesday that it has adopted the Secure Supply Chain Consumption Framework (S2C2F) for ensuring the secure use of open source software (OSS) by developers.