The Cybersecurity and Infrastructure Agency (CISA) and other international agencies responsible for cybersecurity released a joint advisory describing efforts used by the Russian Foreign Intelligence Service (SVR) to gain access to cloud environments. While the report does not suggest a motive to such attacks, other guidance from CISA suggests that at least one motive is the disruption of critical infrastructure in the West during crisis.
Attack Methods
Also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, the report describes tactics used by the SVR to gain initial access to cloud services, including:
- Access via service and dormant accounts, which may provide privileged access
- Cloud based token authentication
- Enrolling new devices into the cloud (after bypassing password authentication using techniques such as password spraying and MFA bombing)
- Residential proxies (making traffic appear to come from IP addresses used by ISPs for residential broadband customers, which makes it harder to detect malicious activities from country-based firewall rules based on IP addresses).
Recommendations to Businesses
The advisory recommends a number of mitigation strategies, that may be useful in defending attacks based on the above. These include:
- Using MFA
- Requiring strong, unique passwords for accounts that cannot use MFA
- Disabling user and system accounts that are no longer necessary
- Adopting the principle of least privilege for system and service accounts
- Deploying "canary" service accounts, which appear to be legitimate, but which are never used by legitimate services, and setting up monitoring and alerting on the accounts should they be used
- Minimizing session lifetimes for session tokens (balanced against suitable authentication methods taking into account user experience)
- Only permit authorized devices to enroll, which may include the use of zero-touch enrollment techniques or the use of strong MFA that is resistant to phishing and prompt bombing attacks
- Consider a variety of information sources, such as application and host-based logging that may suggest malicious behavior
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.