Attacks and Vulnerabilities
CISA
Critical infrastructure
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
News
Supply Chain Security
Tech Solutions
Threat Landscape
Vulnerabilities

CISA, NCSC, global partners expose SVR cyber espionage tactics targeting cloud environments

February 27, 2024
CISA, NCSC, global partners expose SVR cyber espionage tactics targeting cloud environments

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the UK National Cyber Security Centre (NCSC) and a coalition of U.S. and international allies, has issued a joint advisory. Adapting to the move by government and corporations to cloud infrastructure, the guidance sheds light on the latest tactics, techniques, and procedures (TTPs) employed by cyber operatives of the Russian Foreign Intelligence Service (SVR), who are also known under the aliases APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.

APT29, a cyber espionage collective, is highly likely to be an operational component of the SVR, which is an integral part of the Russian intelligence apparatus. The hacker group has been recognized for their use of advanced techniques to penetrate cloud-based systems, demonstrating a high level of sophistication in their cyber operations.

Titled, ‘SVR Cyber Actors Adapt Tactics for Initial Cloud Access,’ the document said that the NCSC has previously detailed how SVR cyber hackers have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR hackers expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. 

The advisory outlined that ​​for organizations that have moved to cloud infrastructure, a first line of defense against a hacker such as SVR should be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat. Once the SVR gains initial access, the hacker is capable of deploying highly sophisticated post-compromise capabilities such as MagicWeb, as reported in 2022. 

The latest advisory comes on the heels of a December announcement, where security agencies from the U.S. and Europe united to issue a cautionary statement to both public and private entities. This alert brought attention to the operations of SVR cyber hackers, who operate under multiple aliases. It was revealed that these hackers have been extensively exploiting the vulnerability CVE-2023-42793, specifically targeting servers running JetBrains TeamCity software since September.

SVR is a highly sophisticated entity capable of executing global supply chain compromises, as evidenced by the 2020 SolarWinds incident. The agencies responsible for the advisory urge network defenders and organizations to consult the document for recommended mitigation strategies to counteract these threats effectively. 

“As organisations continue to modernise their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” the advisory outlined. “They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premise network, and instead target the cloud services themselves.To access the majority of the victims’ cloud-hosted network, actors must first successfully authenticate to the cloud provider.” 

It added that denying initial access to the cloud environment can prohibit SVR from successfully compromising its target. In contrast, in an on-premise system, more of the network is typically exposed to threat hackers.

Previous SVR campaigns reveal that hackers have used brute forcing and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat hackers with privileged initial access to a network, to launch further operations.

“SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organisation but whose accounts remain on the system,” the advisory said. “Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.”

The advisory added that account access is typically authenticated by either username and password credentials or system-issued access tokens. “The NCSC and partners have observed SVR actors using tokens to access their victims’ accounts, without needing a password. The default validity time of system-issued tokens varies dependant on the system, however cloud platforms should allow administrators to adjust the validity time as appropriate for their users,” it added.

It also pointed out that on multiple occasions, the SVR has successfully bypassed password authentication on personal accounts using password spraying and credential reuse. SVR hackers have also then bypassed MFA through a technique known as ‘MFA bombing’ or ‘ MFA fatigue’, in which the hackers repeatedly push MFA requests to a victim’s device until the victim accepts the notification.

“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant, the advisory said. “If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network. By configuring the network with device enrolment policies, there have been instances where these measures have defended against SVR actors and denied them access to the cloud tenant.”

Furthermore, as network-level defenses improve the detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet. 

“A TTP associated with this actor is the use of residential proxies. Residential proxies typically make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source,” the advisory said. “This can make it harder to distinguish malicious connections from typical users. This reduces the effectiveness of network defences that use IP addresses as indicators of compromise, and so it is important to consider a variety of information sources such as application and host-based logging for detecting suspicious activity.”

The latest advisory provided a number of mitigations that will be useful in defending against the activity. It calls for using multi-factor authentication (two-factor authentication/two-step verification) to reduce the impact of password compromises. Accounts that cannot use 2SV should have strong, unique passwords. User and system accounts should be disabled when no longer required with a ‘joiners, movers and leavers’ process in place and regular reviews to identify and disable inactive/dormant accounts.

Furthermore, system and service accounts should implement the principle of least privilege, providing tightly scoped access to resources required for the service to function. Canary service accounts should be created that appear to be valid service accounts but are never used by legitimate services. Monitoring and alerting on the use of these accounts provides a high confidence signal that they are being used illegitimately and should be investigated urgently.

Also, session lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary to use stolen session tokens. This should be paired with a suitable authentication method that strikes a balance between regular user authentication and user experience. It also suggests ensuring device enrolment policies are configured to only permit authorized devices to enroll and using zero-touch enrolment where possible, or if self-enrolment is required then use a strong form of 2SV that is resistant to phishing and prompt bombing. Old devices should be prevented from (re-)enrolling when no longer required.

Earlier this month, global cybersecurity agencies published joint guidance to provide threat detection information and mitigations applicable to ‘living-off-the-land’ (LOTL) activity, regardless of the threat hacker. Many organizations do not implement security best practice capabilities that support the detection of LOTL, so this technique continues to be effective with little to no investment in tooling by malicious cyber actors.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation