Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Matthew Gardiner
Matthew Gardiner
Sponsored Article
Connect Directly

'KnockKnock:' Make Sure You Lock Your Door

Don't assume that just because you have moved an application to the cloud you are insulated from security risks and responsibilities.

There is something for security people to learn from most cyber attacks.  We can learn about new attack techniques used by cybercriminals, or new types of digital assets targeted by them. Some cyber attacks highlight certain application or infrastructure vulnerabilities that weren’t widely known or understood, while others highlight gaps in specific security technologies. Although the recently disclosed KnockKnock attack hasn’t received anywhere near the publicity of WannaCry, Petya/NotPetya, or BadRabbit, it provides a number of important lessons from which everyone can learn something. In no particular order those are:

Broadly-used platforms like Office 365 make juicy targets for attackers. 
As the popularity of a platform rises, attackers increasingly focus on it. They are responding to the basic economics of supply and demand. In the case of KnockKnock, the runaway success of Office 365 has drawn the focus of a particular botnet herder. But many other malicious actors are also increasingly focused on it as well.  Back in the day malware was primarily written for the Windows platform, in large part because the probability of bumping into a vulnerable Windows system was quite high.  Now with the rapid move of common business applications to the cloud, the probability of finding a vulnerable cloud tenant is also increasingly high. As the most popular cloud application in the world, Office 365 is on the way to attaining ubiquity on par with Windows. Couple that with the miniscule expense for the attacker to set up an Office 365 test environment of his own, and you have a perfect environment for an Office 365-focused attack campaign.

Admin or system accounts provide great backdoor entry points. 
Attackers often assume – correctly – that, organizations "set it and forgot it" when it comes to system admin accounts. This age-old attacker technique didn’t go away with the movement to the cloud. In fact, it got easier. By definition these accounts are Internet accessible and thus easy to find, access, and "knock-on."  In how many organizations are these privileged accounts protected with only a single authentication factor – passwords? That is certainly the case with many Office 365 admin accounts, even though multi-factor authentication is available.

Lateral movement leverages internal-to-internal phishing emails.
This portion of the KnockKnock attack is notable and increasingly common.  How many of your employees will be wary of clicking links or opening attachments in an email that literally comes from an internal sender?  What better way to spread an attack laterally than using your organization’s own email system. This is exactly what an attacker can do once they have control of one of your Office 365 accounts, whether it is a system account or even one of your regular user accounts. How many organizations have their email security systems reviewing internal-to-internal emails? While it is understandable that most organizations focus their email protections on inbound emails initially, it is increasingly important to also focus on protecting against malicious internal-to-internal emails. The spread of an attack is often much worse for the organization than the original infection. 

The bottom line is attackers are "knocking" all around your enterprise, including, increasingly, your cloud-based services. It is important to recognize this so you can apply your best defenses where they are needed most. Don’t assume that just because you have moved an application to the cloud that this insulates you from security risks and responsibilities.

Matthew Gardiner is a Senior Product Marketing Manager at Mimecast and is currently focused on email security, phishing, malware, and cloud security. With more than 15 years focused in security, Matthew's expertise in various roles includes threat detection & response, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue