Russian state hackers are adapting their techniques to target organizations moving to the cloud, an advisory from the UK National Cyber Security Centre and international security agencies has warned.
The advisory details how cyber espionage group APT29 is directly targeting weaknesses in cloud services used by victim organizations to gain initial access to their systems. APT29 is also expanding the scope of its attacks beyond governments, think tanks, healthcare and energy providers to include victims in aviation, education, law enforcement, local and state councils, government financial departments and military organizations. APT29 has been linked to Russia’s Foreign Intelligence Service.
The advisory urges organizations to address common vulnerabilities in their cloud environments by removing dormant accounts, enabling multi-factor authentication and creating canary accounts to monitor for suspicious activity.
APT29, also known as Cozy Bear, Midnight Blizzard or the Dukes, is a cyber espionage group that is widely believed to be the perpetrator behind the infamous 2020 SolarWinds attack, which exploited vulnerabilities in the Orion network and had a devastating impact on U.S. government agencies and various private sector companies.
The hacking group was also blamed for the recent password spraying attack on Microsoft that resulted in the compromise of a small number of corporate email accounts.
According to the advisory, APT29 has been observed using a number of techniques over the past 12 months that suggest it is adapting to the shift towards cloud-based operating environments across the public and private sectors.
Specifically, the group is increasingly exploiting weaknesses in cloud services used by organizations to gain initial access to networks. This marks a shift away from traditional attack methods used by the group, namely those that target on-premises equipment.
Techniques used by APT29 include password spraying and brute-force attacks that target accounts that are either dormant or not operated by a person and are used to manage other apps on the network.
“This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise,” the advisory notes.
“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.”
APT29 is also exploiting weaknesses in MFA protocols via “MFA bombing,” which involves bombarding a victim’s device with authentication requests until they are fatigued into accepting — either accidentally or otherwise.
After bypassing MFA, hackers are able to register their own device on the network and gain deeper access into the victim organization’s systems. SVR actors have also been observed stealing system-issued authentication tokens, enabling them to access victims’ accounts without the need for a password.
Toby Lewis, head of threat analysis at British cybersecurity company Darktrace, said the change in APT29’s tactics highlighted some of the “inherent challenges” in securing cloud infrastructure.
“Increasing data and workload migration to the cloud has opened new attack surfaces that cyber criminals are eager to exploit,” Lewis told TechRepublic via email.
“Cloud environments contain enormous troves of sensitive data that appeal to bad actors and nation-state groups alike. The distributed nature of cloud infrastructure, rapid provisioning of resources, and prevalence of misconfigurations have posed major security challenges.”
Residential proxies and dormant accounts are also proving to be highly useful tools for SVR hackers, the advisory notes.
Dormant accounts are typically created when an employee leaves an organization but their account is left active. Hackers who have access to a dormant account can get around any password resets enforced by an organization following a security breach, the advisory notes; they simply log into the dormant or inactive account and follow the password reset instructions. “This has allowed the actor to regain access following incident response eviction activities,” it says.
Likewise, SVR actors are using residential proxies to mask their location and make it appear as though their network traffic is originating from a nearby IP address. This makes it more difficult for a victim organization to spot suspicious network activity, and makes cybersecurity defenses that use IP addresses as indicators of suspicious activity less effective.
“As network-level defences improve detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet,” the advisory says.
While not specifically mentioned in the advisory, Lewis said developments in generative artificial intelligence posed additional challenges for securing cloud environments — namely that attackers are leveraging the technology to craft more sophisticated phishing attacks and social engineering techniques.
He also suggested that many organizations fall over on cloud security because they assume this is the responsibility of the cloud service provider, when it is in fact a shared responsibility.
DOWNLOAD: This Security Awareness and Training Policy from TechRepublic Premium
“Many organisations mistakenly assume the cloud provider will handle all aspects of security. However, while the provider secures the underlying infrastructure, the customer retains responsibility for properly configuring resources, identity and access management, and application-level security,” he said.
“Business leaders must take cloud security seriously by investing in proper skills, tools and processes. They should ensure employees have cloud architecture and security training to avoid basic misconfigurations. They should also embrace the shared responsibility model, so they know exactly what falls within their purview.”
The NCSC advisory stresses the importance of cybersecurity fundamentals, which includes:
This minimizes potential damage from compromised accounts and restricts the access level attackers might gain. “Good baseline of cyber security fundamentals can deny even a threat as sophisticated as the SVR, an actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds compromise,” the advisory notes.
DOWNLOAD: This Cloud Security Policy from TechRepublic Premium
Beyond this, the advisory suggests setting up canary service accounts — i.e., accounts that look legitimate but are actually used to monitor for suspicious activity on the network. Zero-touch enrolment policies should be implemented where possible so only authorized devices can be automatically added to the network, and organizations should “consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behaviour.”
Lewis stressed the importance of collaboration in responding to the evolving threat landscape, as well as ensuring businesses have the right skills, people and processes in place to defend against new and emerging threats.
“Global collaboration among cybersecurity agencies and companies is critical to identify and respond to sophisticated threats. Attackers like APT29 think globally, so defenders must as well,” he said.
“Sharing intelligence on new tactics allows organisations worldwide to improve their defences and respond quickly. No one agency or company has complete visibility on its own.”