The Five Eyes alliance, formed of intelligence agencies from the UK, US, Australia, Canada, and New Zealand, have issued a warning that Russian hacker groups are switching to cloud services as their choice of target.
The joint advisory states that instead of attempting to access on-prem infrastructure, threat actors are shifting their hunting grounds to cloud based environments.
The access methods chosen by the hackers remain largely the same, with password spraying and brute force attacks accounting for many cloud breaches in recent years.
A Russian storm is gathering in the cloud
The advisory states that threat actors have followed businesses as they shifted to the cloud as part of the business transformation trend to do business in the cloud. Therefore, “[threat actors] have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.”
Several federal agencies including the US Department of State were breached by Russian hacker group APT29 (CozyBear, MidnightBlizzard, TheDukes) as a result of the SolarWinds attack three years ago, in which compromised SolarWind software was distributed in an automatic software update to around 18,000 customers.
One of the most lucrative forms of cloud access exists in the form of dormant organization accounts that retain access privileges that have not been revoked when an employee has left the organization. The hackers can also exploit stolen access tokens to bypass credentials and multi-factor authentication (MFA), or hijack devices using password resets.
A particular trademark of Russian-backed hackers in the use of the MagicWeb malware once access is obtained. This malware allows the hackers to disguise themselves as a legitimate user within the organization's infrastructure.
The advisory also issued a number of mitigation and detection techniques:
- Utilizing 2FA or MFA as part of account access
- Using strong and unique passwords, and disabling accounts that are no longer active
- Restricting user access to just the applications and files needed to perform their duties
- Creating early warning accounts known as ‘Canary accounts’, which appear to be legitimate but are never used for any purpose. Therefore, when used, they alert the system to an unauthorized user.
- Establish minimal session lifetimes as standard practice to reduce the window of opportunity available to threat actors.
- Only allow authenticated devices to enroll in the organization, and perform frequent sanitization of old devices.
- Use a wide range of information sources to identify intrusions, rather than just focusing on one (User agent string changes rather than suspicious IP connections).
Via BleepingComputer
More from TechRadar Pro
