Russian state hackers are adapting their techniques to attack organizations moving to the cloud, a advice from the UK National Cyber Security Center and international security agencies has warned.
The advisory details how cyberespionage group APT29 is directly targeting weaknesses in cloud services used by victim organizations to gain initial access to their systems. APT29 is also expanding the scope of its attacks beyond governments, think tanks, healthcare and energy providers to include victims in aviation, education, law enforcement, state and local councils, government financial departments and military organizations. APT29 has been linked to the Russian Foreign Intelligence Service.
The advisory urges organizations to address common vulnerabilities in their cloud environments by removing inactive accounts, enabling multi-factor authentication, and creating canary accounts to monitor for suspicious activity.
Who is APT29?
APT29, also known as Cozy Bear, Midnight Blizzard or The Dukes, is a cyber espionage group believed to be the perpetrator of the infamous 2020 SolarWinds attack, which exploited vulnerabilities in the Orion network and had a devastating impact on government agencies. of the US and several private sector companies.
The hacking group was also blamed for the recent password-spreading attack on Microsoft that resulted in the compromise of a small number of corporate email accounts.
How APT29 is adapting its cyberattacks to focus on cloud-based environments and “MFA blitz”
According to the advisory, APT29 has been observed using a number of techniques over the past 12 months that suggest it is adapting to the shift toward cloud-based operating environments in the public and private sectors.
Specifically, the group is increasingly exploiting weaknesses in cloud services used by organizations to gain initial access to networks. This marks a departure from the traditional attack methods used by the group, namely those that target local computers.
Techniques used by APT29 include password spreading and brute force attacks targeting accounts that are inactive or not operated by a person and are used to manage other applications on the network.
“This type of account is typically used to run and manage applications and services. There is no human user behind them, so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to successful compromise,” the notice states.
“Service accounts often also have many privileges depending on what applications and services they are responsible for managing. Gaining access to these accounts provides threat actors with initial privileged access to a network to launch further operations.”
APT29 is also exploiting weaknesses in MFA protocols through “MFA bombing,” which involves bombarding the victim's device with authentication requests until they tire of accepting, whether accidentally or not.
After bypassing MFA, hackers can register their own device on the network and gain deeper access to the victim organization's systems. SVR actors have also been observed stealing authentication tokens issued by the system, allowing them to access victims' accounts without needing a password.
Toby Lewis, head of threat analysis at British cybersecurity firm Darktrace, said the change in APT29's tactics highlighted some of the “inherent challenges” to cloud infrastructure security.
“The increasing migration of data and workloads to the cloud has opened up new attack surfaces that cybercriminals are eager to exploit,” Lewis told TechRepublic via email.
“Cloud environments contain enormous amounts of sensitive data that attract both bad actors and nation-state groups. “The distributed nature of cloud infrastructure, rapid resource provisioning, and prevalence of misconfigurations have posed significant security challenges.”
How SVR hackers fly under the radar
Residential proxies and dormant accounts are also proving to be very useful tools for SVR hackers, the advisory notes.
Inactive accounts are typically created when an employee leaves an organization but their account remains active. Hackers who have access to an inactive account can bypass any password reset imposed by an organization following a security breach, the advisory notes; They simply log in to the inactive or dormant account and follow the instructions to reset the password. “This has allowed the actor to regain access following eviction activities in response to incidents,” she says.
Likewise, SVR actors use residential proxies to mask their location and make it appear that their network traffic originates from a nearby IP address. This makes it more difficult for a victim organization to detect suspicious activity on the network and makes cybersecurity defenses that use IP addresses as indicators of suspicious activity less effective.
“As network-level defenses improve detection of suspicious activity, SVR actors have sought other ways to remain covert on the Internet,” the advisory says.
The challenges of securing networks in the cloud
Although not specifically mentioned in the advisory, Lewis said advances in generative artificial intelligence pose additional challenges to securing cloud environments, meaning attackers are leveraging the technology to create phishing attacks and more social engineering techniques. sophisticated.
He also suggested that many organizations overlook cloud security because they assume it is the responsibility of the cloud service provider, when in fact it is a shared responsibility.
DOWNLOAD: This TechRepublic Premium security awareness and training policy
“Many organizations mistakenly assume that the cloud provider will handle all aspects of security. However, while the provider protects the underlying infrastructure, the customer is still responsible for properly configuring resources, identity and access management, and application-level security,” he said.
“Business leaders must take cloud security seriously by investing in the right skills, tools and processes. They should ensure employees have training in cloud architecture and security to avoid basic misconfigurations. They should also adopt the shared responsibility model, to know exactly what is their responsibility.”
Tips from NCSC to stay safe regarding the SVR notice
The NCSC advisory emphasizes the importance of cybersecurity fundamentals, including:
- AMF implementation.
- Use strong, unique passwords for accounts.
- Reduce session durations for tokens and user sessions.
- Implement a principle of least privilege for system and service accounts, whereby each account is granted only the minimum levels of access necessary to perform its functions.
This minimizes the potential damage from compromised accounts and restricts the level of access attackers could gain. “A good foundation of cybersecurity fundamentals can negate even a threat as sophisticated as SVR, an actor capable of carrying out a global supply chain compromise like the 2020 SolarWinds compromise,” the advisory states.
DOWNLOAD: This Cloud Security Policy from TechRepublic Premium
Beyond this, the advisory suggests setting up canary service accounts, that is, accounts that appear legitimate but are actually used to monitor suspicious activity on the network. Zero-touch enrollment policies should be implemented wherever possible so that only authorized devices can be automatically added to the network, and organizations should “consider a variety of information sources, such as application events and host-based logs, to help prevent, detect and investigate potential malicious attacks.” behavior.”
Lewis highlighted the importance of collaboration to respond to the evolving threat landscape, as well as to ensure that companies have the right skills, people and processes to defend against new and emerging threats.
“Global collaboration between cybersecurity agencies and companies is essential to identify and respond to sophisticated threats. Attackers like APT29 think globally, so defenders must too,” he said.
“Sharing intelligence on new tactics allows organizations around the world to improve their defenses and respond quickly. No agency or company has complete visibility on its own.”
