A joint advisory issued by cybersecurity agencies of Five Eyes (US, UK, Australia, Canada and New Zealand) warns that Russia-linked APT29 threat actors (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) have switched to targeting cloud services.
The alert warns of the changes in recent tactics, techniques, and procedures (TTPs) associated with the nation-state actor.
“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.” reads the joint advisory. “They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.”
To infiltrate the cloud-hosted network of the majority of victims, attackers have to authenticate themselves successfully with the cloud provider. On the other hand, in an on-premises system, a greater portion of the network is generally vulnerable to threat actors.
In previous campaigns associated with this threat actor, APT29 used brute forcing and password spraying to compromise service accounts. These accounts aren’t operated by a human and for this reason lack of multi-factor authentication (MFA). An attacker can compromise these accounts to gain privileged initial access to a network, facilitating the initiation of further operations.
The threat actors also targeted dormant accounts linked to users who no longer have active roles within a target organization.
According to the advisory, the APT29 was also observed using tokens to access victim accounts and bypassing MFA through ‘MFA bombing’ or ‘MFA fatigue’, which consists of repeatedly pushing MFA requests to a victim’s device until the victim accepts the notification.
“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant [T1098.005]. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.” continues the advisory.
Cyberspies also rely on residential proxies to avoid detection and make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source.
Five Eyes experts recommend organizations that have moved to a cloud infrastructure, to protect against SVR’s TTPs for initial access. The advisory includes a series of mitigations that can allow to neutralize the threat.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, APT29)