Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
As predicted in early 2024 another joint advisory was recently released from the Five-eyes intelligence and cyber security community. This time the advice relates to governments and corporations moving to cloud infrastructure and the efforts of a hacking group which has adapted previously successful tactics, techniques and procedures to target cloud-based infrastructures. Unsurprisingly the market is all about supply and demand and so it would seem that as business and governments move to deliver IT services via the cloud, attackers are seeking ways to infiltrate those systems and steal data.
The full advisory can be found here.
The group involved, APT29 (aka Midnight Blizzard, the Dukes or Cozy Bear), are not new to this sort of thing. They, reportedly, have links with the SVR or Russian Intelligence Services who have form:
The rapid adoption of cloud-based IT services has meant that attackers have recognised that identifying and exploiting vulnerabilities in on-premise networks and systems to gain access, is not the only way to exfiltrate your valuable information and IP. Developing a means to circumvent cloud security controls and configurations can be just as profitable.
Previously this group used brute force and password spraying techniques to access service accounts. These service accounts are highly privileged because of the services they manage, although because they don’t typically have human users, they are not protected by two-factor authentication and so are more easily compromised. The result being that threat actors can access these accounts to initiate further operations. In some instances SVR actors have even sought out dormant accounts of users who have left an organisation, and tried to exploit “password reset” processes, to gain access to these privileged service accounts.
In cloud-based systems, SVR actors groups have been observed using password spraying, credential reuse and even time-limited access tokens to gain entry to cloud systems and their applications (and so removing the need for passwords). Apparently to gain access, attackers have also bombarded users with MFA requests until finally the user allows access to an account. Once inside the cloud environment SVR actors have registered their own MFA tokens.
There are mitigation strategies, to a point, for a number of these entry techniques included in the advisory; but the message for organisations moving to cloud infrastructure is avoid the risks associated with these TTPs when it comes to initial access. Because once in, actors can easily reestablish their identities and access credentials.
Readers are directed to the advisory, which identifies steps that can be taken to try and defend against these attacks and techniques:
As with much of cyber security, configuration and settings can, if chosen appropriately, significantly reduce the risk of attack – especially if combined with proactive and intelligent real-time monitoring of systems.
See the advisory in detail for more information.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.