The Cybersecurity and Infrastructure Security Agency (CISA) – along with the UK National Cyber Security Centre (NCSC) and other international partners – has released a joint advisory warning of tactics and techniques used by alleged Russian Foreign Intelligence Service (SVR) hackers to infiltrate cloud systems.
The SVRs-affiliated hackers – operating under monikers including Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard – have been exploiting well-documented vulnerabilities at scale since September 2023, the security agencies said.
“The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain,” stated CISA. “It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.”
One of the prominent techniques used by these malicious actors includes targeting dormant accounts on cloud systems that have no humans behind them and do not use multi-factor authentication.
“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations,” stated CISA.
Other key actions that SVR actors have used to gain access to cloud systems include using cloud-based token authentications that have allowed them to gain access without any passwords.
SVR actors have also been using a technique known as “multi-factor authentication (MFA) bombing,” in which a targeted person is bombarded by MFA requests until they accept the notification. They also have been using residential proxies to maintain the guise of being a local IP address with no malicious purposes.
The advisory features the following recommendations to defend against attacks:
- Use multi-factor authentication;
- Accounts that cannot use 2SV should have strong, unique passwords;
- System and service accounts should implement the principle of least privilege, providing tightly scoped access to resources required for the service to function;
- Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services;
- Session lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary to use stolen session tokens;
- Ensure device enrollment policies are configured to only permit authorized devices to enroll;
- Consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behavior.
“The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors,” concluded CISA.
