Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Matthew Gardiner
Matthew Gardiner
Sponsored Article
Connect Directly

'KnockKnock:' Make Sure You Lock Your Door

Don't assume that just because you have moved an application to the cloud you are insulated from security risks and responsibilities.

There is something for security people to learn from most cyber attacks.  We can learn about new attack techniques used by cybercriminals, or new types of digital assets targeted by them. Some cyber attacks highlight certain application or infrastructure vulnerabilities that weren’t widely known or understood, while others highlight gaps in specific security technologies. Although the recently disclosed KnockKnock attack hasn’t received anywhere near the publicity of WannaCry, Petya/NotPetya, or BadRabbit, it provides a number of important lessons from which everyone can learn something. In no particular order those are:

Broadly-used platforms like Office 365 make juicy targets for attackers. 
As the popularity of a platform rises, attackers increasingly focus on it. They are responding to the basic economics of supply and demand. In the case of KnockKnock, the runaway success of Office 365 has drawn the focus of a particular botnet herder. But many other malicious actors are also increasingly focused on it as well.  Back in the day malware was primarily written for the Windows platform, in large part because the probability of bumping into a vulnerable Windows system was quite high.  Now with the rapid move of common business applications to the cloud, the probability of finding a vulnerable cloud tenant is also increasingly high. As the most popular cloud application in the world, Office 365 is on the way to attaining ubiquity on par with Windows. Couple that with the miniscule expense for the attacker to set up an Office 365 test environment of his own, and you have a perfect environment for an Office 365-focused attack campaign.

Admin or system accounts provide great backdoor entry points. 
Attackers often assume – correctly – that, organizations "set it and forgot it" when it comes to system admin accounts. This age-old attacker technique didn’t go away with the movement to the cloud. In fact, it got easier. By definition these accounts are Internet accessible and thus easy to find, access, and "knock-on."  In how many organizations are these privileged accounts protected with only a single authentication factor – passwords? That is certainly the case with many Office 365 admin accounts, even though multi-factor authentication is available.

Lateral movement leverages internal-to-internal phishing emails.
This portion of the KnockKnock attack is notable and increasingly common.  How many of your employees will be wary of clicking links or opening attachments in an email that literally comes from an internal sender?  What better way to spread an attack laterally than using your organization’s own email system. This is exactly what an attacker can do once they have control of one of your Office 365 accounts, whether it is a system account or even one of your regular user accounts. How many organizations have their email security systems reviewing internal-to-internal emails? While it is understandable that most organizations focus their email protections on inbound emails initially, it is increasingly important to also focus on protecting against malicious internal-to-internal emails. The spread of an attack is often much worse for the organization than the original infection. 

The bottom line is attackers are "knocking" all around your enterprise, including, increasingly, your cloud-based services. It is important to recognize this so you can apply your best defenses where they are needed most. Don’t assume that just because you have moved an application to the cloud that this insulates you from security risks and responsibilities.

Matthew Gardiner is a Senior Product Marketing Manager at Mimecast and is currently focused on email security, phishing, malware, and cloud security. With more than 15 years focused in security, Matthew's expertise in various roles includes threat detection & response, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.