The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a threat group linked to the Russian Foreign Intelligence Services targeting cloud services to infiltrate organizations in sectors such as government, healthcare, and education. Working in conjunction with the U.K.’s National Cyber Security Centre (NCSC), CISA detailed recent activities of the advanced persistent threat (APT) group known as APT29, which was behind the SolarWinds breach in 2020.
According to the joint advisory released on Monday, APT29, also referred to as Cozy Bear and Midnight Blizzard, has been adapting its tactics to target organizations transitioning from on-premises to cloud-based infrastructures. The group’s tactics include brute-force attacks and account manipulation, which have proven successful in gaining initial access to victim organizations. This evolution in techniques has prompted government agencies to issue a warning to enterprises to remain vigilant.
APT29 has been using techniques such as password spraying and brute-force attacks to steal credentials for cloud service accounts, and even dormant accounts of former employees. Despite warnings to remove inactive accounts due to security risks, attackers have managed to compromise these accounts to regain access following incident response protocols.
The group has been targeting service accounts for initial access as these accounts often lack adequate security controls and offer elevated access. Service accounts, which are typically used to manage applications and services, do not have the same protection as user accounts with multifactor authentication (MFA). APT29 has been exploiting vulnerabilities in these accounts to gain unauthorized access.
To bypass MFA, APT29 has utilized a technique called “MFA bombing” where users’ devices are flooded with notification requests until they are eventually accepted. This allows attackers to register their own device as a new device on the cloud tenant, granting them network access. Additionally, the group has used cloud-based authentication tokens to access victim accounts without needing a password, highlighting the need for stricter validity time settings for such tokens.
In response to these evolving tactics, cybersecurity experts recommend using digital certificates tied to devices to authenticate machines rather than usernames and passwords. Furthermore, APT29 has employed residential proxies to evade detection by organizations with improved security measures, making it challenging to distinguish between malicious and legitimate activity.
The advisory from CISA emphasizes the importance of implementing standard mitigations to secure service accounts and prevent APT29 from gaining initial access. These measures include enabling MFA, limiting access through the principle of least privilege, reducing session lifetimes to prevent token theft, and creating canary service accounts to monitor for any suspicious activity.
The advisory serves as a crucial reminder for organizations to stay vigilant and continuously update their security measures to protect against evolving cyber threats from sophisticated threat groups like APT29. With the rise of cloud-based services, securing access points and implementing robust security protocols are essential to safeguard sensitive data and prevent unauthorized access.