Russias Midnight Blizzard Targets Service Accounts for Initial Cloud Access

  /     /     /  
Publicated : 23/11/2024   Category : security


Russias Midnight Blizzard Targets Service Accounts for Initial Cloud Access


CISA and its counterparts in the UK and other countries this week offered new guidance on how to deal with the threat actors recent shift to cloud attacks.



Midnight Blizzard, the threat group affiliated with Russian intelligence services (SVR) and the entity behind the attacks on SolarWinds and organizations like Microsoft and HPE, is leveraging automated cloud services accounts and dormant accounts to access cloud environments at target organizations.
The attacks mark a significant shift in tactics for the threat actor (also known as APT29, Cozy Bear, and Dukes) as it adapts to the growing adoption of cloud services by organizations in sectors it has targeted traditionally.
In an advisory Monday, the UKs
National Cyber Security Center (NCSC)
, in collaboration with the
US Cybersecurity and Infrastructure Security Agency (CISA)
and their counterparts in other countries, warned of the shift in Midnight Blizzards tactics and the need for organizations to prevent the threat actor from gaining initial access to their cloud environments.
For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVRs TTPs for initial access, the advisory noted, while recommending mitigations against the threat.
The US and others have tied Midnight Blizzard with a high degree of confidence to Russias SVR, a threat actor that has been active since at least 2009. Initially the group garnered attention for its intelligence-gathering attacks against government agencies, think tanks, and organizations in healthcare and energy. In recent years, and especially since its SolarWinds attack, Midnight Blizzard has targeted numerous other organizations including those in the software supply chain, healthcare research, law enforcement, aviation, and military industries. Recently
Microsoft and HPE blamed the threat actor
for breaking into their respective corporate email environments and accessing emails belonging to senior leadership and key personnel.
In many of its previous attacks, Midnight Blizzard has exploited software vulnerabilities and other network weaknesses to gain initial access to a target organizations on-premises IT infrastructure. But with many of its targets shifting to cloud-native and cloud-hosted environments, the threat actor has been forced to pivot and target cloud services as well. To access the majority of the victims cloud hosted network, actors must first successfully authenticate to the cloud provider, the NCSC said.
One common tactic that Midnight Blizzard has employed to achieve that goal is to use brute-force guessing and password spraying attacks to gain access to cloud service accounts. These are typically automated, non-human accounts for managing cloud applications and services. Such accounts cannot be easily protected via two-factor authentication mechanisms and are therefore more susceptible to a successful compromise and takeover, the NCSC said.
But theres another issue that makes threat actor takeover of these accounts especially problematic. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations, the NCSC warned. In many of these attacks, the threat actors used legitimate residential IP addresses to launch their password spray attacks, making it hard for defenders to spot the activity for what it was.
Another tactic that Midnight Blizzard has used to gain initial access to a target cloud environment is to leverage dormant accounts belonging to users who may no longer be working at a victim organization, but whose account might remain on the system, the advisory noted. On occasion, the threat actor has regained access to a network from which it might have been booted out by logging into inactive accounts and following instructions to reset the password.
Other tactics that Midnight Blizzard has used for initial cloud access include using
illegally obtained OAuth tokens
to access victim accounts — and maintain persistence — without requiring a password, as well as using so-called
MFA bombing or MFA-fatigue
attacks to get victims to authenticate them to a target account. Once the threat actor has gained access to a cloud environment, they have often registered their own device on it to gain persistent access.
To mitigate the threat, organizations should use multifactor authentication where they can, to reduce the impact of a password compromise, the NCSC said. In situations where it might be difficult to use a second authentication factor, organizations should create strong passwords for protecting service accounts. The NCSC also recommended that organizations implement the
principle of least privilege
for service accounts to limit what an attacker could potentially do by misusing one.
In addition, the advisory advocated keeping the session lifetimes of authentication tokens as short as practical to limit what the threat actor could do with a stolen token and making sure that device enrollment policies do not permit registration of unauthorized devices in the cloud environment.
Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services, the advisory said. Misuse of such accounts is a clear sign of unauthorized access that needs immediate investigation.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russias Midnight Blizzard Targets Service Accounts for Initial Cloud Access