Member countries of the Five Eyes intelligence alliance (FVEY) report that cyberhackers from the APT29 group, affiliated with the Russian Foreign Intelligence Service (SVR), are turning to cloud platforms.
In an unprecedented warning, the cybersecurity agencies of the Five Eyes (United States, United Kingdom, Australia, Canada and New Zealand) have sounded the alarm on the recent activities of Russian hackers, particularly the APT29 group, also known by several aliases, including SVR, Cozy Bear and The Dukes. These cybercriminals, known for their sophistication and connection to Russian intelligence services, are focusing all their efforts on cloud infrastructure, a strategy that could have devastating consequences for businesses and governments around the world.
History
Russian cyberspies have also managed to infiltrate the Microsoft 365 accounts of various entities belonging to NATO member countries, with the aim of acquiring data relating to foreign policy. Their targets included governments, embassies and senior officials across Europe, in a series of phishing attacks.
Most recently, in January, Microsoft confirmed that the hacking group affiliated with the Russian Foreign Intelligence Service had compromised the Exchange Online accounts of its executives as well as those of users from other organizations in November 2023. So they are not. not on their first try.
The cloud attack
Five Eyes agencies identified that APT29, the Russian hackers, exploited their targets’ cloud environments using compromised access service account credentials obtained through brute force or word spray attacks exceeds. They take advantage of undeleted dormant accounts left after users leave targeted organizations, making it easier to “re-access” them after a system-wide password reset.
APT29’s initial cloud breach vectors also include the use of stolen access tokens that allow them to hijack accounts without using credentials, compromised residential routers to “proxy” their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA) and register their own devices as new devices on victims’ cloud tenants. That’s it.
Preventative measures
SVR hackers use sophisticated tools like MagicWeb malware to evade detection in the networks of governments and critical organizations in Europe, the United States and Asia.
“ For organizations that have migrated to cloud infrastructure, the first line of defense against an actor like SVR should be to protect against TTPs [Tactiques, Techniques et Procédures, NDLR] of SVR for initial access », advise the Five Eyes.
To protect against these attacks, network defenders should therefore enable multi-factor authentication wherever possible and strengthen passwords or reduce session lifetimes to limit the use of stolen tokens.
The Cloud is widely represented in the world of web hosting. This modular and efficient solution offers an excellent alternative for medium-volume sites that regularly receive peaks in traffic. The cloud is at the center of the strategy of many hosting providers, such as OVHCloud and IONOS Cloud. Find our comparison of the best cloud hosting services in 2024.
Read more
Source: Bleeping Computer, Cisa
0