Cyber Defense Agencies from Multiple Countries Release Cloud Computing Threat Advisory

The cyber defense agencies from Australia, New Zealand, the United Kingdom, and the United States issued a joint alert Monday on increased attempts from a cyber espionage group “almost certainly” tied to Russian intelligence agencies to target corporate and government systems using cloud computing services.

Previously, the cybercrime group APT29, the group tied to Russian intelligence services, had targeted government agencies, think tanks, healthcare organizations, and energy companies. The new alert expands the target list to aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

While the alert is based on new and recent information, cloud-computing as a threat vector is by no means a novel concept. Our editor Megan Gates wrote about a similar warning from the U.S. agency—the Cybersecurity and Infrastructure Security Agency (CISA)—three years ago, followed by another article later in the year on threats to the cloud. Among the tactics featured in those Security Management articles from 2021, are phishing schemes to steal credentials, pass-the-cookie attacks to bypass multifactor authentication, and vulnerabilities to third-party IT systems in use at an organizations.  

The new alert highlights additional ways the nefarious actors are gaining access due to poor password security measures, multifactor bypass techniques, and compromised IT controls. Specifically, it discusses the following vulnerabilities:

They use dormant accounts to gain access and prolong the risk and exposure of a cyber incident. As part of an attack, they find inactive email accounts. When the organization pushes a password reset as part of its incident response, the criminals use the dormant account to reset password credentials, thereby regaining system access.

They use service accounts—a kind of account that runs in IT systems themselves without human intervention and are used to run applications and other IT processes —to gain access. The malicious actors use brute force tactics and password spraying to access these service accounts, which are then used to plant malicious code and grant additional access.

They use token authentication theft. Token authentication is one way to keep users from having to type in credentials for every application or process being used. Tokens are heavily used throughout an IT infrastructure, including cloud infrastructures. When malicious actors are able to gain token access, they can often bypass the need to obtain username and password credentials.

They capitalize on multifactor authentication fatigue. In this case, the cybercriminal has used phishing, password spraying or brute force, or some other way to gain a user’s credentials. However, the criminal is stymied by two-factor authentication. In this case, the criminal continually attempts to login sending continuous two-factor notices to a user’s device, hoping that the user will get tired of the notifications and just grant access. Once bypassed a first time, the criminal can then reset the two-factor device to one they control.

They mask their IP to appear legitimate. With the rapid dramatic increase of work-from-home, one cybersecurity tool has become less effective. Some network defenses use IP addresses as indicators of compromise. In the past, just the number of remote users could cause an alarm. As the number jumped, defenses began looking at the addresses themselves and ignoring ones from residential broadband customers. Criminals have adjusted by using residential proxies to hide their IP source.

CISA noted in its release that the damage a threat actor can cause once they have compromised an organization’s cloud systems is significant. They also said it is critical to close off these initial access vectors to keep them from getting into the cloud. They also referred U.S. federal agencies to CISA’s Secure Cloud Business Applications Project.