Russian cyberespionage group APT29 targeting cloud vulnerabilities

APT 1个月前 admin
54 0 0
Russian cyberespionage group APT29 targeting cloud vulnerabilities

One of Russia’s elite cyberespionage threat groups, APT29, has modified its hacking methods as the governments and corporations it spies on move more of their infrastructure into the cloud.
俄罗斯精英网络间谍威胁组织之一 APT29 已经修改了其黑客方法,因为其监视的政府和企业将更多基础设施转移到云端。

APT29, also known as Cozy Bear, Midnight Blizzard and Nobelium, has been identified by Western intelligence agencies as a unit of the Russian Foreign Intelligence Service (SVR).
APT29,也被称为 Cozy Bear、Midnight Blizzard 和 Nobelium,已被西方情报机构确定为俄罗斯对外情报局 (SVR) 的一个单位。

A new advisory from the UK’s National Cyber Security Centre (NCSC) warns the gang has evolved its tactics, techniques, and procedures (TTPs) to gain access more effectively to its victims’ cloud services.
英国国家网络安全中心 (NCSC) 发布的一份新公告警告称,该团伙已经改进了其策略、技术和程序 (TTP),以便更有效地访问受害者的云服务。

Two of the more infamous attacks attributed to APT29 were the 2016 Democratic National Committee hack and the 2020 supply chain compromise of SolarWinds software. More recently, it was held responsible for hacking the email accounts of Microsoft staff, including members of the company’s senior leadership team, and stealing SharePoint and email files from Hewlett Packard Enterprise.
APT29 造成的两起臭名昭著的攻击是 2016 年民主党全国委员会黑客攻击和 2020 年 SolarWinds 软件供应链受损。最近,它被指控入侵微软员工(包括公司高级领导团队成员)的电子邮件帐户,并窃取惠普企业的 SharePoint 和电子邮件文件。

The dangers of service accounts

The NCSC advisory said APT29 was skilled at using brute forcing and password spraying attacks to access service accounts — accounts not tied to a specific individual that were typically used to run and manage applications and services. Because they were often accessed by more than one person within an organization, service accounts were harder to protect with multi-factor authentication (MFA).
NCSC 通报称,APT29 擅长使用暴力破解和密码喷射攻击来访问服务帐户,这些帐户不与特定个人绑定,通常用于运行和管理应用程序和服务。由于服务帐户通常由组织内多个人访问,因此更难通过多重身份验证 (MFA) 来保护服务帐户。

“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing,” the advisory said.

“Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.”

The NCSC said APT29 also targeted dormant accounts that remained on the system after users left an organization.
NCSC 表示,APT29 还针对用户离开组织后仍保留在系统上的休眠帐户。

“Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.”
“在事件期间对所有用户强制重置密码后,我们还观察到 SVR 参与者登录非活动帐户并按照说明重置密码。这使得攻击者能够在事件响应驱逐活动之后重新获得访问权限。”

The gang was also observed using a technique known as “MFA bombing” or MFA fatigue to repeatedly push MFA requests to a victim’s device until the victim accepts the notification.
据观察,该团伙还使用一种称为“MFA 轰炸”或 MFA 疲劳的技术,反复向受害者的设备推送 MFA 请求,直到受害者接受通知。

Initial access leaves victims exposed

“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant,” the advisory said.
该咨询称:“一旦攻击者绕过这些系统来访问云环境,SVR 攻击者就会将自己的设备注册为云租户上的新设备。”

“If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.”
“如果未设置设备验证规则,SVR 参与者可以成功注册自己的设备并获得网络访问权限。”

After gaining initial access, the gang was able to deploy “highly sophisticated post compromise capabilities” such as MagicWeb, a tool APT29 was observed deploying in 2022 that enabled members to maintain persistence within compromised systems and carry out espionage activities.
获得初步访问权限后,该团伙能够部署“高度复杂的入侵后功能”,例如 MagicWeb,据观察,APT29 于 2022 年部署了该工具,使成员能够在受感染的系统中保持持久性并开展间谍活动。

Patrick Tiquet, Keeper Security’s vice president of security and architecture, said APT29’s targeting of cloud services was emblematic of the evolving nature of cyber threats and the adaptability of malicious actors.
Keeper Security 安全与架构副总裁 Patrick Tiquet 表示,APT29 针对云服务的攻击象征着网络威胁不断变化的性质以及恶意行为者的适应性。

“Cloud environments present attractive targets due to the concentration of sensitive data and critical services,” he said.

Mitigating the risks of service accounts

Tiquet said the type of generic service accounts APT29 targeted in its cloud-based attacks were often created by organizations for the sake of convenience and streamlined management, especially for automated processes within their cloud environments.
Tiquet 表示,APT29 基于云的攻击所针对的通用服务帐户类型通常是由组织为了方便和简化管理而创建的,特别是对于云环境中的自动化流程。

“However, the use of such generic accounts can introduce security vulnerabilities, and if compromised, can grant attackers broad access to critical resources. Additionally, they provide no visibility into who has logged in to the shared account.”

He said organizations should keep an accurate inventory of all service accounts so that they could be regularly audited, and removed or disabled when no longer required.

In its advisory, the NCSC recommended organizations create “canary” service accounts that appeared valid but were never used for legitimate services.
NCSC 在其建议中建议各组织创建看似有效但从未用于合法服务的“金丝雀”服务帐户。

“Monitoring and alerting on the use of these accounts provides a high confidence signal that they are being used illegitimately and should be investigated urgently,” the agency said.

The NCSC advisory was issued jointly with the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and international partner cybersecurity agencies in Canada, Australia and New Zealand.
NCSC 警告是与美国国家安全局 (NSA)、网络安全和基础设施安全局 (CISA)、联邦调查局 (FBI) 以及加拿大、澳大利亚和新西兰的国际合作伙伴网络安全机构联合发布的。

原文始发于Simon Hendery:Russian cyberespionage group APT29 targeting cloud vulnerabilities

版权声明:admin 发表于 2024年3月2日 下午2:11。
转载请注明:Russian cyberespionage group APT29 targeting cloud vulnerabilities | CTF导航