Member countries of the Five Eyes intelligence alliance (FVEY) report that cyberhackers from the APT29 group, affiliated with the Russian Foreign Intelligence Service (SVR), are turning to cloud platforms.
In an unprecedented warning, the cybersecurity agencies of the Five Eyes (United States, United Kingdom, Australia, Canada and New Zealand) have sounded the alarm on the recent activities of Russian hackers, particularly the APT29 group, also known by several aliases, including SVR, Cozy Bear and The Dukes. These cybercriminals, known for their sophistication and connection to Russian intelligence services, are focusing all their efforts on cloud infrastructure, a strategy that could have devastating consequences for businesses and governments around the world.
History
Russian cyberspies have also managed to infiltrate the Microsoft 365 accounts of various entities belonging to NATO member countries, with the aim of acquiring data relating to foreign policy. Their targets included governments, embassies and senior officials across Europe, in a series of phishing attacks.
Most recently, in January, Microsoft confirmed that the hacking group affiliated with the Russian Foreign Intelligence Service had compromised the Exchange Online accounts of its executives as well as those of users from other organizations in November 2023. So they are not. not on their first try.
The cloud attack
Five Eyes agencies identified that APT29, the Russian hackers, exploited their targets’ cloud environments using compromised access service account credentials obtained through brute force or word spray attacks exceeds. They take advantage of undeleted dormant accounts left after users leave targeted organizations, making it easier to “re-access” them after a system-wide password reset.
APT29’s initial cloud breach vectors also include the use of stolen access tokens that allow them to hijack accounts without using credentials, compromised residential routers to “proxy” their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA) and register their own devices as new devices on victims’ cloud tenants. That’s it.
Preventative measures
SVR hackers use sophisticated tools like MagicWeb malware to evade detection in the networks of governments and critical organizations in Europe, the United States and Asia.
“ For organizations that have migrated to cloud infrastructure, the first line of defense against an actor like SVR should be to protect against TTPs [Tactiques, Techniques et Procédures, NDLR] of SVR for initial access », advise the Five Eyes.
To protect against these attacks, network defenders should therefore enable multi-factor authentication wherever possible and strengthen passwords or reduce session lifetimes to limit the use of stolen tokens.
The Cloud is widely represented in the world of web hosting. This modular and efficient solution offers an excellent alternative for medium-volume sites that regularly receive peaks in traffic. The cloud is at the center of the strategy of many hosting providers, such as OVHCloud and IONOS Cloud. Find our comparison of the best cloud hosting services in 2024.
Read more
Source: Bleeping Computer, Cisa
Ex-corporate journalist, the world of the web, networks, connected machines and everything that is written on the Internet whets my appetite. From the latest TikTok trend to the most liked reels, I come from the Facebook generation that still fascinates the internal war between Mac and PC. As a wise woman, the Internet, its tools, practices and regulations are among my favorite hobbies (that, lineart, knitting and bad jokes). My motto: to try it is to adopt it, but in complete safety.
Read other articles
0