Priya PatelTLDR:
Key Points:
- APT29, a Russian cyberespionage group, has been targeting cloud vulnerabilities using brute forcing and password spraying attacks.
- They have been focusing on gaining access to service accounts in organizations, which are harder to protect with multi-factor authentication.
One of Russia’s elite cyberespionage threat groups, APT29, also known as Cozy Bear, Midnight Blizzard, and Nobelium, has adapted its hacking methods to target vulnerabilities in cloud services as more organizations move their infrastructure to the cloud. The group, identified as a unit of the Russian Foreign Intelligence Service (SVR), has been particularly skilled at using brute forcing and password spraying attacks to access service accounts that are not tied to specific individuals but are used to run and manage applications and services within organizations. These accounts, which are often highly privileged, provide threat actors with initial access to a network, allowing them to launch further operations.
The UK’s National Cyber Security Centre (NCSC) issued a warning about APT29’s new tactics, including targeting dormant accounts left on systems after users leave organizations. The group has also been using techniques like “MFA bombing” to push multi-factor authentication (MFA) requests to victims’ devices until they accept, gaining access to the cloud environment. Once inside, APT29 deploys sophisticated tools like MagicWeb for espionage activities.
Patrick Tiquet from Keeper Security highlighted the risks associated with generic service accounts in cloud environments and emphasized the importance of organizations keeping an accurate inventory of service accounts for regular auditing. The NCSC advisory recommended creating “canary” service accounts for monitoring and alerting purposes to detect illegitimate use. The advisory was issued jointly with the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and international partner cybersecurity agencies.
