As organizations are moving to cloud-based infrastructure, Russian cyberespionage threat actors are adapting and have switched to targeting cloud services, according to a fresh warning from government agencies in the Five Eyes countries.
Cybersecurity and law enforcement agencies in the US, Canada, UK, Australia and New Zealand issued a joint alert calling urgent attention to recent tactics, techniques, and procedures (TTPs) associated with APT29/Cozy Bear/Midnight Blizzard, a notorious hacking group linked to the Russia’s intelligence services (SVR).
Instead of exploiting software vulnerabilities to hack on-premises infrastructure, SVR actors have been observed launching brute-force and password spraying attacks to compromise service accounts, as well as targeting the dormant accounts of former employees to access the target organization’s environment.
Furthermore, the notorious APT group was observed using tokens to access victim accounts and bypassing multi-factor authentication (MFA) using a technique known as ‘MFA bombing’ or ‘MFA fatigue’.
Following initial access, the attackers typically register their own devices to the victim’s network and would deploy sophisticated post-compromise tools.
Additionally, the hackers were seen relying on residential proxies to hide their malicious activity by making the traffic appear to originate from the IP addresses of residential broadband customers.
To mitigate the risk of compromise, organizations are advised to implement MFA, use strong, unique passwords for each account, implement the principle of least privilege, create canary service accounts and monitor them, ensure sessions have short lifetime, configure device enrollment policies to only permit authorized devices, and to use application events and host-based logs to detect malicious behavior.
“For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. Mitigating against the SVR’s initial access vectors is particularly important for network defenders,” the alert said.
Related: Russian Turla Cyberspies Target Polish NGOs With New Backdoor
Related: Russian Cyberspies Exploit Roundcube Flaws Against European Governments
Related: FBI Dismantles Ubiquiti Router Botnet Controlled by Russian Cyberspies