[author: Daniela Melo]
The UK’s National Cyber Security Centre (NCSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and other international partners published an advisory alert on February 26, 2024 outlining recent tactics, techniques, and procedures (TTPs) used by cyber criminals likely associated with the Russian Foreign Intelligence Service (SVR) to gain initial access to cloud environments.
The move by organizations to modernize their systems and move to cloud-based infrastructure has cut cyber criminals off from previously exploited vulnerabilities available in on-premises networks. The TTPs described by the alert have been newly adopted by cyber criminals, such as APT29, in response to this change.
Common TTPs utilized to gain cloud access
The report outlined the following TTPs commonly used by the SVR.
Brute forcing and password spraying: Using automated login and password guessing attacks, SVR has begun to target service accounts as a high value launchpad for further operations. Service accounts are a prime target for this type of access because they are used to allow different applications to interact with each other, making them highly privileged, and usually have no associated human user, making multi-factor authentication (MFA) difficult.
Targeting dormant accounts: SVR actors have been observed logging into inactive accounts and following password reset instructions, allowing them to regain access following incident response eviction activities.
Utilizing cloud-based tokens: SVR actors have been observed utilizing system issued tokens, digital authentication mechanisms used to grant access to accounts and verify identities, to access victim accounts without needing a password.
Bypassing multi-factor authentication: SVR actors have used “MFA bombing” or “MF ..
Support the originator by clicking the read the rest link below.
