Cloud Security | Risk Management & Reporting

April 10, 2024

As predicted in early 2024 another joint advisory was recently released from the Five-eyes intelligence and cyber security community. This time the advice relates to governments and corporations moving to cloud infrastructure and the efforts of a hacking group which has adapted previously successful tactics, techniques and procedures to target cloud-based infrastructures. Unsurprisingly the market is all about supply and demand and so it would seem that as business and governments move to deliver IT services via the cloud, attackers are seeking ways to infiltrate those systems and steal data.

The full advisory can be found here.

The group involved, APT29 (aka Midnight Blizzard, the Dukes or Cozy Bear), are not new to this sort of thing. They, reportedly, have links with the SVR or Russian Intelligence Services who have form:

  • Targeting COVID-19 vaccine research and development organisations and their data in 2020; and
  • More famously, successfully breaching the supply chain of MSP SolarWinds and compromising many of its customers.

The rapid adoption of cloud-based IT services has meant that attackers have recognised that identifying and exploiting vulnerabilities in on-premise networks and systems to gain access, is not the only way to exfiltrate your valuable information and IP. Developing a means to circumvent cloud security controls and configurations can be just as profitable.

Previously this group used brute force and password spraying techniques to access service accounts. These service accounts are highly privileged because of the services they manage, although because they don’t typically have human users, they are not protected by two-factor authentication and so are more easily compromised. The result being that threat actors can access these accounts to initiate further operations. In some instances SVR actors have even sought out dormant accounts of users who have left an organisation, and tried to exploit “password reset” processes, to gain access to these privileged service accounts.

In cloud-based systems, SVR actors groups have been observed using password spraying, credential reuse and even time-limited access tokens to gain entry to cloud systems and their applications (and so removing the need for passwords). Apparently to gain access, attackers have also bombarded users with MFA requests until finally the user allows access to an account. Once inside the cloud environment SVR actors have registered their own MFA tokens.

There are mitigation strategies, to a point, for a number of these entry techniques included in the advisory; but the message for organisations moving to cloud infrastructure is avoid the risks associated with these TTPs when it comes to initial access. Because once in, actors can easily reestablish their identities and access credentials.

Readers are directed to the advisory, which identifies steps that can be taken to try and defend against these attacks and techniques:

  • Denying or hardening the initial access to the cloud systems is one line of defence.
    • Cloud systems may actually make this easier than on-premise, as the controls aren’t so limited to the initial access and the network perimeter.
  • Limiting the validity period of access tokens is another way to mitigate the attack and protect systems.
    • Limiting the time windows within which attacks could be successful. If the cloud provider allows this to be shortened, a second level of defence is possible.
  • Implementing controls and policies for device enrolment can curtail attempts by the attacker to add their own devices to the organisation’s estate and then access the cloud systems.

As with much of cyber security, configuration and settings can, if chosen appropriately, significantly reduce the risk of attack – especially if combined with proactive and intelligent real-time monitoring of systems.

See the advisory in detail for more information.

Cyber Security Predictions for 2024

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.