I thought that I would update on how cyber actors (in this case SVR cyber actors) are adapting their tactics as governments and businesses adapt the move to cloud infrastructure.
This update focuses on the recent tactics, techniques and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes or Cozy Bear.
The NCSC (New Zealand National Cyber Security Centre ) and its partners have previously detailed how SVR actors have targeted governmental, think tanks, healthcare and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local government departments and military organisations.
Evolving TPPs
As organisations continue to modernise their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.
They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premise network, and instead target the cloud services themselves.
To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premise system, more of the network is typically exposed to threat actors.
Access via service and dormant accounts
Previous SVR campaigns have revealed that the actors have successfully used brute forcing and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.
SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organisation but whose accounts remain on the system.
Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.
Enrolling new devices to the cloud
On multiple occasions, the SVR has successfully bypassed password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as ‘MFA bombing’ or ‘MFA fatigue’, in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification.
Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.
By configuring the network with device enrolment policies, there have been instances where these measures have defended against SVR actors and denied them access to the cloud tenant.
Conclusion
For organisations that have moved to cloud infrastructure, the first line of defence against an actor such as SVR should be to protect against SVR’s TTPs for initial access.
Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb, as reported in 2022. Therefore, mitigating against the SVR’s initial access vectors is particularly important for network defenders.
Of interesting note, on January 24 2024, Microsoft had the exact same issue as noted above where the SVR used a password spray attack to compromise a legacy non-production test tenant account to gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft’s corporate email accounts. Microsoft has further noted that Microsoft Threat Intelligence identified that the same actor has been targeting other organizations with quite some success.
SecureSphere can help businesses mitigate and detect against the activity described above, so feel free to contact us for an initial discussion.