The Five Eyes alliance, formed by intelligence agencies from Britain, the US, Australia, Canada and New Zealand, has issued a warning that Russian hacker groups are turning to cloud services as their targets.
The joint advisory argues that instead of trying to gain access to on-premises infrastructure, threat actors are moving their hunting grounds to cloud-based environments.
The access methods chosen by hackers remain largely the same, with password spraying and brute force attacks responsible for many cloud breaches in recent years.
A Russian storm is gathering in the cloud
The advisory states that threat actors have followed companies as they move to the cloud as part of the business transformation trend to do business in the cloud. Therefore, “[threat actors]must go beyond their traditional means of initial access, such as exploiting software vulnerabilities in a local network, and instead target the cloud services themselves.”
Several federal agencies, including the US Department of State, were hacked by the Russian hacker group APT29 (CozyBear, MidnightBlizzard, TheDukes) as a result of the SolarWinds attack three years ago, which distributed compromised SolarWind software in an automatic software update among approximately 18,000 customers.
One of the most lucrative forms of cloud access comes in the form of dormant organizational accounts that retain access rights that are not revoked when an employee leaves the organization. The hackers can also exploit stolen access tokens to bypass credentials and multi-factor authentication (MFA), or hijack devices using password resets.
A particular trademark of Russian-backed hackers in using the MagicWeb malware once access is gained. This malware allows the hackers to disguise themselves as a legitimate user within the organization’s infrastructure.
The advisory also outlined a number of mitigation and detection techniques:
- Using 2FA or MFA as part of account access
- Use strong and unique passwords and disable accounts that are no longer active
- Limit user access to only the applications and files necessary to perform their tasks
- Creating early warning accounts, known as ‘Canary accounts’, which appear legitimate but are never used for any purpose. Therefore, when used, they alert the system to an unauthorized user.
- Set a minimum session duration as a standard practice to reduce the opportunities available to threat actors.
- Allow only verified devices to enroll in the organization and perform a regular cleanup of old devices.
- Use a wide range of information sources to identify intrusions, rather than focusing on just one source (user agent string changes rather than suspicious IP connections).
Through BleepingComputer