Devilishly Clever KnockKnock Attack Tries to Break Into System Email Accounts

[LASER_oneXM]

Security researchers have spotted a new type of low-and-slow brute-force attack — which they nicknamed KnockKnock — aimed at companies with Office 365 accounts.

Identified by Skyhigh Networks, the attacks have been going on since May 2017, and have gone through two very distinct phases, both devilishly clever in their approach.

Attacking system email accounts for greater access
The second phase of these attack is the one that stands out the most. Instead of attacking employee accounts, hackers decided to try and crack system email accounts, like the ones below:

» Service accounts — used for user provisioning in larger enterprises
» Automation accounts — used to automate data and system backups
» Machine accounts — used for applications within data centers
» Marketing accounts — used for marketing and customer communication
» Internal tools accounts — used with JIRA, Jenkins, GitHub, etc.
» Other system accounts — used for distribution lists, shared and delegated mailboxes.
Skyhigh says attackers attempted to guess the passwords for these accounts. The reasoning is simple, as these accounts do not use two-factor authentication (2FA) and have higher access and privileges than regular employee accounts.

Further, employees don't usually expect to receive malicious content from these addresses, so there's a higher chance that victims click on suspicious links if they come from an internal, generic email address.

In addition, there's always the benefit of gaining access to an account that stores a huge trove of sensitive information. Compromising one of these accounts grants the attacker access to valuable historical information that he can use to craft further attacks.

Attackers used a small botnet for the KnockKnock attack
Skyhigh says that the group behind these attacks was careful not to launch massive brute-force attacks that would show up on the radar of any decent security system.


Instead, attackers used a low-and-slow approach, trying only a few passwords at a time, spreading the attack over days.


"[The] KnockKnock [attack] has been operational since May 2017 and is currently active," says Sandeep Chandana, Principal Data Scientist at Skyhigh. "The attack is launched using a relatively small network of 83 confirmed IPs distributed across 63 networks."


The attacks never focus on one company alone, but switch targets from one firm to the other, coming back with new password tries later on.


This is the reason why many companies did not detect the failed login attempts against their system accounts, and the attack raged on for the past six months.

Low-and-slow brute-force attacks bypass security measures

Just like the recent attacks on system email accounts, attackers weren't in a hurry and attempted to break into accounts over a period of months. Attackers wanted to be sure their brute-forcing was not going to trigger account lockouts or other security measures put in place by cloud service providers.


Skyhigh experts detected these attacks against companies running their email system on Microsoft's Office 365 platform, but attackers could be very well attacking non-Office 365 customers as well.

The simplest countermeasure to deal with the KnockKnock attacks Skyhigh detected in the past months is to enable 2FA for employee accounts, and to use strong and unique passwords for both employee and system email accounts.