Cyber Criminals Adapt Tactics to Attack Cloud Infrastructure

Author

Daniela Melo

Publish Date

Type

Cyber Alert

Topics
  • Cybersecurity

The UK’s National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and other international partners published an advisory alert on February 26, 2024 outlining recent tactics, techniques, and procedures (TTPs) used by cyber criminals likely associated with the Russian Foreign Intelligence Service (SVR) to gain initial access to cloud environments.

The move by organizations to modernize their systems and move to cloud-based infrastructure has cut cyber criminals off from previously exploited vulnerabilities available in on-premises networks. The TTPs described by the alert have been newly adopted by cyber criminals, such as APT29, in response to this change.

Common TTPs utilized to gain cloud access

The report outlined the following TTPs commonly used by the SVR.

  • Brute forcing and password spraying: Using automated login and password guessing attacks, SVR has begun to target service accounts as a high value launchpad for further operations. Service accounts are a prime target for this type of access because they are used to allow different applications to interact with each other, making them highly privileged, and usually have no associated human user, making multi-factor authentication (MFA) difficult.
  • Targeting dormant accounts: SVR actors have been observed logging into inactive accounts and following password reset instructions, allowing them to regain access following incident response eviction activities.
  • Utilizing cloud-based tokens: SVR actors have been observed utilizing system issued tokens, digital authentication mechanisms used to grant access to accounts and verify identities, to access victim accounts without needing a password.
  • Bypassing multi-factor authentication: SVR actors have used “MFA bombing” or “MFA fatigue” to continually push MFA requests to a victim’s device until they accept the MFA notification.
  • Enrolling new devices: Once access is attained, SVR actors have been observed registering their own device as a new device on the cloud tenant.
  • Bypassing IP based network defenses: SVR actors have been observed utilizing residential proxies to disguise traffic as appearing to originate within internet service provider IP ranges.

Recommendations for mitigation and detection

The alert outlined the following recommendations in accordance with the findings and industry sources.

  • Utilize MFA and complex, unique passwords to reduce impact of password compromises.
  • Disable user and system accounts when no longer required to prevent access through unmaintained service or dormant accounts.
  • Use principle of least privilege when implementing system and service accounts to minimize impact of access compromise.
  • “Canary” service accounts that are never ordinarily used should be created and monitored – use of these accounts would serve as a high confidence signal that they are being used illegitimately.
  • Session token lifetimes should be minimized to reduce use of stolen session tokens.
  • Device enrollment policies should be configured to only permit authorized devices, and old devices should not be allowed to re-enroll.
  • If required, self-enrollment for devices should use phishing resistant forms of MFA.
  • Utilize multiple sources of information to improve detection of potential malicious behavior instead of relying on single sources (for example, use additional indicators for identifying session hijacking instead of solely identifying suspicious IP addresses).

How we help

We help our clients reduce their cyber risk and strengthen their line of defense against destructive cyberattacks. 

Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations.