The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Clpoud Access Security Broker, Skyhigh Networks, have detected a previously unknown botnet ‘KnockKnock’. The ‘KoncoKnock’ campaign is a sophisticated cyber attack on Office 365 Exchange Online email accounts, originating from 16 countries around the world and targeted organisations in manufacturing, financial services, healthcare, consumer products and US public sector. The attackers behind ‘KnockKnock’ targeted automated corporate email accounts not tied to a human identity, which often lacked advanced security policies.

Unlike the brute force campaign on corporate Office 365 accounts Skyhigh had previously reported, ‘KnockKnock’ is a new campaign based on a unique attack strategy of targeting administrative accounts commonly used to integrate corporate email systems with marketing and sales automation software. Since these accounts are not linked to a human identity and require automated use, they are less likely to have protection with security policies such as multi-factor authentication (MFA) and recurring password reset.

On gaining access to an enterprise Office 365 account, the ‘KnockKnock’ campaign typically extracts data in the inbox, creates a new inbox rule and initiates a phishing attack from this controlled inbox in an attempt to propagate infection across the enterprise.

“This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today’s business automation, that typically do not require MFA and that traditionally have weak security oversight,” said Sekhar Sarukkai, Chief Scientist, Skyhigh Networks. “Detection and protection from attacks on these ‘weakest link’ accounts require a cloud-native security approach for complete visibility and mitigation.”

The KnockKnock campaign began in May 2017 and is still ongoing, with the bulk of activity occurring between June and August. With a focus on precision targeting instead of high volume targeting, attacks averaged five email addresses for each customer.

Skyhigh’s Threat Protection engine detected these attacks when logins to Office 365 were from unusual locations and the activities defied standard behavioral patterns as analyzed by Skyhigh’s machine learning algorithms. This analysis offered a detailed map of the attacks:
– Hackers used 63 networks and 83 IP addresses to conduct their attacks
– Roughly 90 percent of the login attempts came from China, with additional attempts originating from Russia, Brazil, U.S., Argentina and 11 other countries
– Targets included Infrastructure and Internet of Things (IoT) vendors, as well as departments related to infrastructure and IoT in large enterprises, across industries such as manufacturing, financial services, healthcare, consumer products and the US public sector.
– Almost all of the accounts were confirmed to be ‘non-human’ system accounts

Skyhigh’s visibility into cloud traffic of over 30 million enterprise users worldwide allows the company to correlate global threats such as ‘KnockKnock’. Skyhigh has been working with its customers to detect and protect against the persistent ‘KnockKnock’ attacks.