CISA: APT29 targeting cloud accounts for initial access

CISA warned that a notorious threat group associated with the Russian Foreign Intelligence Services is increasingly targeting cloud services to gain initial access to victim organizations in the government, healthcare and education sectors.

In a joint government advisory Monday, CISA and the U.K's National Cyber Security Centre (NCSC) detailed recent activity from the advanced persistent threat (APT) group commonly known as APT29, which has launched targeted campaigns against cloud environments. Government agencies attributed the massive SolarWinds breach in 2020 to the Russian nation-state group, which has since expanded targeted organizations to include aviation, education, law enforcement and military.

Over the past year, the government agencies observed APT29, also known as Cozy Bear and Midnight Blizzard, adapting to organizations moving from on-premises to cloud-based infrastructures. The advisory urged enterprises to be on alert because the groups evolved tactics, techniques and procedures (TTPs), which include brute-force attacks and account manipulation, have been successful in gaining initial access to victim organizations.

"They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves," CISA wrote in the advisory.

APT29 leveraged password spraying and brute force attacks to steal credentials for cloud service accounts as well as dormant accounts of former employees despite ongoing warnings that they need to be removed due to security risks. Attackers were also observed compromising inactive accounts to regain access after incident response protocols eliminated the threat.

Based on previous activity, CISA said APT29 "is capable of deploying highly sophisticated post compromise capabilities," so securing initial access points is critical. It appears the group targets service accounts for initial access because they often lack adequate security controls and offer elevated access.

"This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multifactor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they're responsible for managing," the advisory read.

To bypass MFA, the government agencies observed APT29 take advantage of "MFA bombing," which involves threat actors flooding users' devices with notification requests until they are eventually accepted. When successful, attackers can register their own device as a new device on the cloud tenant. If enterprises do not have device validation protocols in place, APT29 actors can register their own devices and gain network access, CISA warned.

Another alarming observation was how APT29 used cloud-based authentication tokens to access victim accounts without the need for a password.

"The default validity time of system-issued tokens varies dependent on the system; however, cloud platforms should allow administrators to adjust the validity time as appropriate for their users," the advisory read.

Jason Soroko, vice president of product at Sectigo, said generic service accounts continue to pose challenges for organizations because the lack of human interaction during the authentication process. He recommended using digital certificates because they are tied to the device directly and don't rely on usernames and passwords.

"Machines need to authenticate to machines and, unfortunately, forms of authentication that were meant for human beings are not well suited. Many generic service accounts are set up for authentication by various forms of workloads that are without human interaction," Soroko told TechTarget Editorial.

APT29 also adjusted its techniques to combat organizations' improved detection capabilities by using residential proxies. The technique can make it more challenging to differentiate between malicious activity and legitimate users.

Some of the TTPs outlined in the advisory were observed in a January attack against Microsoft that was attributed to APT29, which Microsoft tracks as Midnight Blizzard. The threat actor used password spraying to gain initial access to a legacy Microsoft user account that did not have MFA enabled. During the breach, Microsoft also observed that the attacker leveraged a cloud-based authentication token and used a residential proxy to hide their tracks.

CISA's advisory urged enterprises to implement several standard mitigations to secure service accounts and prevent APT29 from gaining initial access. The agency emphasized the mitigations are crucial because the group has shown its capable of deploying global supply chain attacks with the SolarWinds breach.

In addition to enabling MFA, CISA recommended implementing the principle of least privilege to limit access and reducing session lifetimes to defend against stolen tokens. The agency also recommended creating canary service accounts, which appear to be valid accounts but are never used by legitimate services and are continually monitored for threat activity.

Arielle Waldman is a Boston-based reporter covering enterprise security news.