Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russian Cyberspies Targeting Cloud Infrastructure via Dormant Accounts

US government and allies expose TTPs used by notorious Russian hacking teams and warn of the targeting of dormant cloud accounts.

Microsoft Hit by Nation State Actor Midnight Blizzard

As organizations are moving to cloud-based infrastructure, Russian cyberespionage threat actors are adapting and have switched to targeting cloud services, according to a fresh warning from government agencies in the Five Eyes countries.

Cybersecurity and law enforcement agencies in the US, Canada, UK, Australia and New Zealand issued a joint alert calling urgent attention to recent tactics, techniques, and procedures (TTPs) associated with APT29/Cozy Bear/Midnight Blizzard, a notorious hacking group linked to the Russia’s intelligence services (SVR).

Instead of exploiting software vulnerabilities to hack on-premises infrastructure, SVR actors have been observed launching brute-force and password spraying attacks to compromise service accounts, as well as targeting the dormant accounts of former employees to access the target organization’s environment.

Furthermore, the notorious APT group was observed using tokens to access victim accounts and bypassing multi-factor authentication (MFA) using a technique known as ‘MFA bombing’ or ‘MFA fatigue’.

Following initial access, the attackers typically register their own devices to the victim’s network and would deploy sophisticated post-compromise tools.

Additionally, the hackers were seen relying on residential proxies to hide their malicious activity by making the traffic appear to originate from the IP addresses of residential broadband customers.

To mitigate the risk of compromise, organizations are advised to implement MFA, use strong, unique passwords for each account, implement the principle of least privilege, create canary service accounts and monitor them, ensure sessions have short lifetime, configure device enrollment policies to only permit authorized devices, and to use application events and host-based logs to detect malicious behavior.

“For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. Mitigating against the SVR’s initial access vectors is particularly important for network defenders,” the alert said.

Advertisement. Scroll to continue reading.

Related: Russian Turla Cyberspies Target Polish NGOs With New Backdoor

Related: Russian Cyberspies Exploit Roundcube Flaws Against European Governments

Related: FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...