Bekker's Blog

Blog archive

Office 365-Focused Botnet Puts Spotlight on Security of System Accounts

The recent discovery of a botnet aimed at Office 365 customers puts a spotlight on a commonly overlooked category of system accounts.

Skyhigh Networks this month reported a botnet it dubbed "KnockKnock" that it discovered several weeks ago. Active since at least May, and especially active from June through August, the relatively small botnet seems to have been highly targeted in both the types of accounts it attacked and the types of organizations it went after.

"The reason this is interesting is not that a botnet is trying to get into accounts, but the fact that it is trying to get into system accounts," said Sekhar Sarukkai, chief scientist at Skyhigh Networks, in an interview.

What the attack does, according to Skyhigh's description, is go after the system accounts that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts were compromised, KnockKnock exported data from the inbox, created a new inbox rule and began a phishing attack from the account against the rest of the organization.

Skyhigh picked up evidence of the botnet through its Cloud Access Security Broker (CASB) Threat Protection engine when the company's customers were attacked. Skyhigh says the traffic came from 63 networks and 83 IP addresses, with 90 percent of traffic coming from IP addresses in China. In all, the attacks came from 16 countries.

The attacks averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific -- aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

"It just seems like it's orchestrated in a controlled manner, rather than a free-for-all, get-what-you-can kind of campaign," he said.

Sarukkai said that what is helping the effectiveness of the attack is that non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. "Once these accounts have been provisioned, they're really sort of forgotten," he said. "I think these actors have a pretty good understanding of the weakest link in Office 365 and in general the security infrastructure -- almost like the hidden weakness."

Posted by Scott Bekker on October 12, 2017 at 12:28 PM


Featured

  • Windows Autopilot for HoloLens 2 Hits Preview

    Windows Autopilot, Microsoft's PC self-provisioning program, is now being tested for use with the company's mixed-reality headset, the HoloLens 2.

  • Signs Point to Microsoft Charging for Use of APIs

    There are indications that Microsoft is mulling charging customers for software that uses its application programming interfaces.

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft Extends Azure Hybrid Benefit Licensing to Linux

    Microsoft has expanded its Azure Hybrid Benefit licensing program to include Linux servers, particularly Red Hat Enterprise Linux or SUSE Linux Enterprise servers.