The United States government and several of its allies are warning organizations about new and evolving tactics being used by APT29, one of the more mature and active threat groups, to target cloud services and gain access to sensitive data.
APT29, also known widely as Cozy Bear, is a group associated with the Russian SVR intelligence service and is responsible for the SolarWinds supply chain attack in 2020, among other high-profile intrusions. The group is well-resourced and mature in its capabilities and tactics, and in the new advisory, the Cybersecurity and Infrastructure Security Agency and some of its foreign partner agencies said APT29 is adapting its techniques to target cloud providers and using a variety of methods to gain initial access. APT29 has targeted government agencies, energy companies, health care organizations, and policy groups in the past, but is now also going after military, aviation, and education targets.
“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment. They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves,” the advisory says.
“To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors.”
Historically, APT29 has targeted exposed network devices for initial access, compromising servers, VPN devices, and endpoints through various means. Now as more and more organizations have moved much of their infrastructure and data to the cloud, attackers have had to adapt their techniques and targeting. APT29 in particular has begun using common techniques such as password spraying and brute forcing to gain access to service accounts and unused accounts on cloud platforms. Service accounts are particularly choice targets, as they are used to manage apps and services on cloud platforms, and they typically are not protected by MFA because there isn’t a specific real human behind them.
“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations,” the advisory says.
“SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system.”
In addition, SVR attackers have combined password spraying with MFA fatigue attacks in order to gain access to individual accounts on cloud platforms. Cybercrime groups commonly use this technique to target high-value people inside an organization.
“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network,” the advisory says.
Common best practices such as implementing MFA wherever possible and using the principle of least privilege on service accounts can help organizations defend against these tactics.