Since May, hackers have been attacking international businesses in over a dozen nations using a new and “ingenious” attack method dubbed KnockKnock. The attack technique allows hackers to infiltrate organisations’ Office 365 accounts by attempting to “knock” on backdoor system accounts.
In order to maintain a low profile, KnockKnock hackers have been using a small botnet, made of a network of 83 IP addresses, distributed across 63 networks. KnockKnock also targets only around 2% of the Office 365 account base, indicating that the hackers are focused on a limited number of targets. KnockKnock further obfuscates the attack by targeting businesses in a “staggered” way. In other words, as attacks against one company ramp up, attacks against another slow down. The attacks also allow hackers to target system accounts, including service accounts, automation accounts, machine accounts and marketing accounts.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account,” Chandana added.
Low-and-slow brute-force attacks such as KnockKnock are known to allow hackers to infiltrate networks without raising alarms, as they can bypass security measures. According to SkyHigh Networks security researchers, KnockKnock is designed so hackers can steal any data in account inboxes. The attack also allows hackers to create a new inbox rule that hides and diverts all incoming messages.
KnockKnock then attempts to launch a phishing attack and use the infected inbox to spread across the targeted organisation’s networks. “Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organisation they have infiltrated for a larger takeover over time,” Chandana said.