27 January 2021

In the Fox IT blog post “Abusing cloud services to fly under the radar“[1], Wouter Jansen reports on a threat actor who got illegal access to the networks of high-tech and aviation companies and stayed undetected for more than 3 years. The post gives a great introduction to the MITRE ATT&CK framework, absolutely recommendable.

In section Initial access we read: “From this portal it was possible to launch the web-based VPN. The VPN was protected by two-factor authentication (2FA) by sending an SMS with a one-time password (OTP) to the user account’s primary or alternate phone number. It was possible to configure an alternate phone number for the logged in user account at the company portal” (my emphasis).

This describes a well-known issue with self-services: Once successfully authenticated against the company network a second factor often can be changed without enhanced authentication. Self-Services are designed with best user experience and responsiveness in mind, IT security often plays a subordinate role.

From my point of view, exchange of the second factor should always be approved by a line manager or his proxy. This may take a while, but it makes life much harder for an attacker. In addition, the likelihood of detection goes up.

Here is some food for thought: Are your security self-services designed with security in mind?

Have a great week!

References

1. Jansen W. Abusing cloud services to fly under the radar [Internet]. Fox-IT International blog. 2021 [zitiert 26. Januar 2021]. Verfügbar unter: https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/