Russian Threat Actor APT29 Now Attacking the Cloud

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29 (aka Cozy Bear or Midnight Blizzard).   

This group previously attributed to the supply chain compromise of SolarWinds software, the cyber espionage group attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives.  

APT29 is switching to cloud services as their choice of target. "As organizations continue to modernize their systems and move to cloud-based infrastructure, the group has adapted to these changes in the operating environment," according to the security bulletin.  

APT29 also steals cloud-based authentication tokens to access accounts without providing a password. And it uses a technique called MFA bombing, in which attackers bypass multifactor authentication by repeatedly pushing logon validation requests to victims' devices until they authorize the logon out of carelessness or exasperation. 

Once inside, APT29 may gain persistence by enrolling its own devices onto the network. It also camouflages its activities by running internet traffic through residential proxies, giving attackers an exit point from residential networks and internet protocol addresses that are less likely to raise the suspicions of system administrators. 

These new tactics include:  

• Obtaining access to cloud infrastructure via service and dormant accounts by means of brute-force and password spraying attacks, pivoting away from exploiting software vulnerabilities in on-premise networks.  

• Using tokens to access victims' accounts without the need for a password.  

• Leveraging password spraying and credential reuse techniques to seize control of personal accounts, using prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their own device to gain access to the network.  

• Making it harder to distinguish malicious connections from typical users by utilizing residential proxies to make the malicious traffic appear as if it's originating from a local ISP.  

Recommendations:  

The advisory also issued a number of mitigation and detection techniques: 

• Utilizing 2FA or MFA as part of account access 

• Using strong and unique passwords, and disabling accounts that are no longer active 

• Restricting user access to just the applications and files needed to perform their duties 

• Creating early warning accounts known as ‘Canary accounts’, which appear to be legitimate but are never used for any purpose. Therefore, when used, they alert the system to an unauthorized user. 

• Establish minimal session lifetimes as standard practice to reduce the window of opportunity available to threat actors. 

• Only allow authenticated devices to enroll in the organization, and perform frequent sanitization of old devices. 

• Use a wide range of information sources to identify intrusions, rather than just focusing on one (User agent string changes rather than suspicious IP connections). 

Reference

1. The Hacker News. (2024 February 27). Five Eyes Agencies Expose APT29’s Evolving Cloud Attack Tactics.   http://thehackernews.com/2024/02/five-eyes-agencies-expose-apt29s.html   

How can CyberForce|Q services help you address this risk?

Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to solutions@cyberforceq.com.

Learn more about CyberForce|Q.