Russian hackers are posing a growing threat to organizations transitioning to cloud-based infrastructure. Their tactics are evolving and increasingly targeting cloud services, according to a joint alert issued by cybersecurity agencies from the Five Eyes alliance.

The alert, which combines the expertise of cybersecurity and law enforcement agencies from the United States, Canada, the United Kingdom, Australia, and New Zealand, sheds light on the recent tactics, techniques, and procedures (TTPs) employed by APT29, also known as Cozy Bear or Midnight Blizzard. This notorious hacking group, linked to Russia’s external intelligence agency SVR, has demonstrably shifted its focus from exploiting software vulnerabilities in on-premises infrastructure to targeting cloud environments.

The alert details concerning observations of APT29’s evolving strategies. Instead of traditional vulnerability exploitation, the group has been observed launching brute-force and password spraying attacks to compromise service accounts. Additionally, they have exhibited a concerning interest in targeting dormant accounts of former employees, aiming to leverage these accounts for unauthorized access to target organizations’ cloud environments.

Furthermore, the alert highlights APT29’s use of stolen tokens to gain access to victim accounts. This tactic allows them to bypass multi-factor authentication (MFA) through a technique known as “MFA bombing” or “MFA fatigue,” bombarding users with login attempts until they eventually accept. Once initial access is established, the attackers typically register their own devices on the victim’s network, granting them persistent access and the ability to deploy sophisticated tools for further compromise.

The alert emphasizes the use of residential proxies by APT29, a tactic designed to mask their malicious activity. By routing their attacks through the IP addresses of residential broadband customers, they attempt to obscure their true origin and complicate attribution efforts.

7 Multi-pronged Approach 

To mitigate the risks associated with these evolving tactics, the Five Eyes agencies recommend a multi-pronged approach:

1. Implement Multi-Factor Authentication (MFA): This significantly strengthens account security by adding an extra layer of verification beyond just usernames and passwords.
2. Enforce Strong Password Policies: Organizations should mandate the use of strong, unique passwords for each account, and avoid password reuse across different platforms.
3. Principle of Least Privilege: Granting users only the minimum level of access permissions necessary for their specific roles helps limit the potential damage caused by compromised accounts.
4. Canary Service Accounts: Creating and monitoring dedicated “canary” accounts can serve as an early warning system, potentially detecting suspicious activity before attackers gain broader access.
5. Short-Lived Sessions: Implementing session timeouts helps limit the window of opportunity for attackers even if they manage to compromise an account.
6. Restrict Device Enrollment: Organizations should configure device enrollment policies to only permit authorized devices on their networks, preventing unauthorized access attempts.
7. Log Monitoring: Regularly monitoring application events and host-based logs for anomalous activity can help identify potential breaches and enable a timely response.

The Five Eyes alert underscores the critical importance of proactively addressing these initial access tactics, particularly for organizations that have transitioned to cloud-based infrastructure. By implementing the recommended measures, organizations can significantly bolster their defenses and make it more difficult for APT29 and other malicious actors to exploit their cloud environments. 

News Courtesy: National Security Agency/Central Security Service