Hackers use ‘cloud-on-cloud’ attacks to evade detection, attribution

The attacks, spotted earlier this year by Skyhigh Networks, highlight the increased complexity of the security issues companies face when they move to the cloud.

A stealthy group of hackers is using cloud infrastructure to attempt “low and slow” brute-force attacks on Microsoft Office 365 logins of senior executives at a broad swath of Fortune 2000 companies, according to recent research.

The cloud-on-cloud attacks, spotted earlier this year by Skyhigh Networks, appear to be an early example of a criminal or espionage group leveraging cloud infrastructure to hide not only their identity and the origins of their attack, but also the attack itself.

The research highlights the increased complexity of security issues companies face when they move to the cloud.

The attacks “came from multiple [cloud] providers and targeted multiple [Skyhigh] customers over a period of time,” explained Slawomir Ligier, the company’s senior vice president of engineering. “They were low and slow … designed to get under the radar.”


In fact, Ligier said, Skyhigh only detected the attacks because they were able to correlate Office 365 API login data across employees within each of their customer companies and across multiple customer companies.

“Within each organization, the attackers targeted a small number of senior employees across multiple departments,” according to a company blog posting about the attacks.

“They spaced the attempts across time and from different IP addresses,” Ligier said, adding the attacks didn’t seem targeted against any particular industry vertical or geographical area.

Brute-force attacks typically involve repeated efforts to guess the password to an account. But in this case, Ligier said, the attackers tried logging in with different versions of possible usernames (e.g. first.last, firstlast, first_last) suggesting they already possessed — or believed they possessed — some combination of employee names and passwords.

“That could have been from a prior [unconnected] breach,” he said, pointing out that password reuse is rampant, and that there are publicly available dumps of millions of name and password combinations from massive data breaches.


Over a period of about six months starting in early 2017, Skyhigh eventually found more than 100,000 failed Office 365 login attempts originating from 67 different IP addresses, and targeting 48 different enterprises, the posting stated.

Finding an IP address is one way to obtain a piece of evidence that can help identify an attacker. But if the attack comes from a cloud instance, the IP address only tells you who the cloud provider is, not the identity of the cloud tenant, let alone the attacker.

“We have no way of knowing,” Ligier acknowledged, whether the cloud instances from which the attacks came were rented by the attackers, or hacked and used to launch the attacks without the knowledge of the real renters.

Nor are they likely to learn more anytime soon.

When Skyhigh reported the attacks to the cloud providers hosting the attacking IPs, the response they got, in every case, was “Thanks, we’ll take it from here,” Vice President of Product Management Anand Ramanathan told CyberScoop.


He declined to name any of the cloud providers, but the closed-door nature of their response only serves to highlight the complex new issues that cybersecurity professionals face as companies transition their IT networks to the cloud.

“There’s a whole new paradigm,” Ramanathan explained, “What does [the provider] manage? What do I manage? … Who’s responsible for what, in security terms.”

Cloud access security brokers (CASB) like Skyhigh are a fast-growing market sector, driven by the lack of visibility into cloud infrastructure.

“The rapid adoption of cloud services has caught many security teams flat-footed,” write analysts from Gartner in an analysis of the CASB market published earlier this year. “Visibility into users, devices and data application interactions in cloud environments … is required to answer the question, ‘How do I secure my data in someone else’s system?’ ”

“As companies move their workloads and data to the cloud, the question is no longer ‘Should we move our data to the cloud?’ but rather ‘What security precautions should we take to move our data to the cloud?'” adds a Forrester analysis from the end of last year.


“CISOs want to get away from the business of saying ‘No,”” explained Ramanathan, “This technology lets them say ‘Yes!'”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts