Five Eyes top agencies issue warning that Russian hackers are targeting the cloud — and the human factor is once again to blame

News
By Benedict Collins
published

UK NCSC and the FBI, NSA and CISA have issued a dire warning

Russia
(Image credit: Shutterstock)

The Five Eyes alliance, formed of intelligence agencies from the UK, US, Australia, Canada, and New Zealand, have issued a warning that Russian hacker groups are switching to cloud services as their choice of target.

The joint advisory states that instead of attempting to access on-prem infrastructure, threat actors are shifting their hunting grounds to cloud based environments.

The access methods chosen by the hackers remain largely the same, with password spraying and brute force attacks accounting for many cloud breaches in recent years.

A Russian storm is gathering in the cloud

The advisory states that threat actors have followed businesses as they shifted to the cloud as part of the business transformation trend to do business in the cloud. Therefore, “[threat actors] have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.”

Several federal agencies including the US Department of State were breached by Russian hacker group APT29 (CozyBear, MidnightBlizzard, TheDukes) as a result of the SolarWinds attack three years ago, in which compromised SolarWind software was distributed in an automatic software update to around 18,000 customers.

One of the most lucrative forms of cloud access exists in the form of dormant organization accounts that retain access privileges that have not been revoked when an employee has left the organization. The hackers can also exploit stolen access tokens to bypass credentials and multi-factor authentication (MFA), or hijack devices using password resets.

A particular trademark of Russian-backed hackers in the use of the MagicWeb malware once access is obtained. This malware allows the hackers to disguise themselves as a legitimate user within the organization's infrastructure.

The advisory also issued a number of mitigation and detection techniques:

  • Utilizing 2FA or MFA as part of account access
  • Using strong and unique passwords, and disabling accounts that are no longer active
  • Restricting user access to just the applications and files needed to perform their duties
  • Creating early warning accounts known as ‘Canary accounts’, which appear to be legitimate but are never used for any purpose. Therefore, when used, they alert the system to an unauthorized user.
  • Establish minimal session lifetimes as standard practice to reduce the window of opportunity available to threat actors.
  • Only allow authenticated devices to enroll in the organization, and perform frequent sanitization of old devices.
  • Use a wide range of information sources to identify intrusions, rather than just focusing on one (User agent string changes rather than suspicious IP connections).

Via BleepingComputer

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but also likes to draw on his knowledge of geopolitics and international relations to understand the motivations and consequences of state-sponsored cyber attacks. Benedict has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham.