Cybersecurity and intelligence businesses from the 5 Eyes nations have launched a joint advisory detailing the evolving techniques of the Russian state-sponsored menace actor generally known as APT29.
The hacking outfit, also referred to as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (previously Nobelium), and The Dukes, is assessed to be affiliated with the International Intelligence Service (SVR) of the Russian Federation.
Beforehand attributed to the provide chain compromise of SolarWinds software program, the cyber espionage group attracted consideration in latest months for focusing on Microsoft, Hewlett Packard Enterprise (HPE), and different organizations with an purpose to additional their strategic goals.
“As organizations proceed to modernize their methods and transfer to cloud-based infrastructure, the SVR has tailored to those modifications within the working setting,” in keeping with the safety bulletin.
These embrace –
- Acquiring entry to cloud infrastructure through service and dormant accounts by way of brute-force and password spraying assaults, pivoting away from exploiting software program vulnerabilities in on-premise networks
- Utilizing tokens to entry victims’ accounts with out the necessity for a password
- Leveraging password spraying and credential reuse strategies to grab management of private accounts, use immediate bombing to bypass multi-factor authentication (MFA) necessities, after which registering their very own machine to realize entry to the community
- Making it tougher to differentiate malicious connections from typical customers by using residential proxies to make the malicious site visitors seem as if it is originating from IP addresses inside web service supplier (ISP) ranges used for residential broadband clients and conceal their true origins
“For organizations which have moved to cloud infrastructure, the primary line of protection towards an actor reminiscent of SVR needs to be to guard towards SVR’ TTPs for preliminary entry,” the businesses mentioned. “As soon as the SVR features preliminary entry, the actor is able to deploying extremely subtle submit compromise capabilities reminiscent of MagicWeb.”
