KnockKnock attack

Security researchers have spotted a new type of low-and-slow brute-force attack — which they nicknamed KnockKnock — aimed at companies with Office 365 accounts.

Identified by Skyhigh Networks, the attacks have been going on since May 2017, and have gone through two very distinct phases, both devilishly clever in their approach.

Attacking system email accounts for greater access

The second phase of these attack is the one that stands out the most. Instead of attacking employee accounts, hackers decided to try and crack system email accounts, like the ones below:

» Service accounts — used for user provisioning in larger enterprises
» Automation accounts — used to automate data and system backups
» Machine accounts — used for applications within data centers
» Marketing accounts — used for marketing and customer communication
» Internal tools accounts — used with JIRA, Jenkins, GitHub, etc.
» Other system accounts — used for distribution lists, shared and delegated mailboxes.

Skyhigh says attackers attempted to guess the passwords for these accounts. The reasoning is simple, as these accounts do not use two-factor authentication (2FA) and have higher access and privileges than regular employee accounts.

Further, employees don't usually expect to receive malicious content from these addresses, so there's a higher chance that victims click on suspicious links if they come from an internal, generic email address.

In addition, there's always the benefit of gaining access to an account that stores a huge trove of sensitive information. Compromising one of these accounts grants the attacker access to valuable historical information that he can use to craft further attacks.

Attackers used a small botnet for the KnockKnock attack

Skyhigh says that the group behind these attacks was careful not to launch massive brute-force attacks that would show up on the radar of any decent security system.

Instead, attackers used a low-and-slow approach, trying only a few passwords at a time, spreading the attack over days.

"[The] KnockKnock [attack] has been operational since May 2017 and is currently active," says Sandeep Chandana, Principal Data Scientist at Skyhigh. "The attack is launched using a relatively small network of 83 confirmed IPs distributed across 63 networks."

The attacks never focus on one company alone, but switch targets from one firm to the other, coming back with new password tries later on.

This is the reason why many companies did not detect the failed login attempts against their system accounts, and the attack raged on for the past six months.

Attacking random username combos with leaked passwords

Earlier in the year, in July, Skyhigh experts noticed an eerily similar low-and-slow brute-force attack. While not confirmed to be linked with the brute-force attack on system email accounts, the technique and execution were very similar.

Attackers would identify a company employee whose credentials were exposed in a previous data breach and attempt to guess his Office 365 account.

For example, if an employee named John Smith had his LinkedIn account exposed, the hackers would take the password leaked in the LinkedIn breach an attempt to use the same password to log into his business account. Because attackers didn't know John Smith's corporate email, they would try several email combinations one after the other, such as johnsmith@company.com, john.smith@company.com, smith.john@company.com, john@company.com, and so on.

Office 365 brute-force attack

Back in July, Skyhigh said it detected a botnet of 67 IP addresses spread over 12 networks trying to break into the Office 365 accounts of 48 companies. In total, Skyhigh detected over 100,000 failed login attempts, with no successful login.

In an email conversation back in July,  Chandana told Bleeping Computer that attackers focused their efforts on companies in manufacturing, healthcare, pharmaceuticals, and financial services.

"The attack effort appears to have been optimized for the long term and [the] wide scope of information that can be obtained with a potential compromise," Chandana told Bleeping.

Low-and-slow brute-force attacks bypass security measures

Just like the recent attacks on system email accounts, attackers weren't in a hurry and attempted to break into accounts over a period of months. Attackers wanted to be sure their brute-forcing was not going to trigger account lockouts or other security measures put in place by cloud service providers.

Skyhigh experts detected these attacks against companies running their email system on Microsoft's Office 365 platform, but attackers could be very well attacking non-Office 365 customers as well.

The simplest countermeasure to deal with the KnockKnock attacks Skyhigh detected in the past months is to enable 2FA for employee accounts, and to use strong and unique passwords for both employee and system email accounts.

Image credits: Gan Khoon Lay, Skyhigh Networks