APT29 revamps its techniques to breach cloud environments

Russian threat actors APT29 are changing their techniques and expanding their targets to access cloud environments, members of the Five Eyes intelligence alliance have warned.

About APT29

APT29 (aka Midnight Blizzard, aka Cozy Bear) is a cyber espionage group believed to be part of the Russian Foreign Intelligence Service (SVR), known for breaching several US government agencies after the supply chain compromise of SolarWinds software.

Microsoft was victim of the same breach and, more recently, the same threat actors hacked into its corporate mailboxes, stealing emails and attached documents.

APT29 have been known for targeting governments, think tanks, healthcare organizations and the energy sector, but have now expanded their targets to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

APT29 is leveraging new techniques

In a joint advisory, the Five Eyes agencies warned that the group has also adapted its tactics, techniques, and procedures (TTPs).

Instead of exploiting software vulnerabilities to gain initial access, the threat actors now use brute forcing and password spraying to access service accounts and accounts belonging to former employees of victim organizations.

“There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations,” CISA noted.

APT29 has also been using stolen tokens, instead of passwords, to access victims’ accounts, and managed to bypass multi-factor authentication (MFA) by engaging in MFA bombing and taking advantage of consequent MFA fatigue.

“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network,” CISA warned.

Lastly, to hide their activity on the network and the true origin of network traffic, threat actors used residential proxies.

“Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb,” the agency concluded.

Protecting the cloud

The agencies have outlined several best practices to help defend organizations from these threat actors:

• Enable multi-factor authentication (MFA)
• Use strong and unique passwords, especially for accounts that can’t use 2-step verification (2SV)
• Implement the principle of least privilege for system and service accounts
• Create canary service accounts for faster compromise detection
• Adjust the validity time of system-issued tokens
• Allow device enrollment only for authorized devices
• Use various information sources to prevent, detect and investigate unusual behavior