APT29 revamps its techniques to breach cloud environments

2024-02-27 12:05

Russian threat actors APT29 are changing their techniques and expanding their targets to access cloud environments, members of the Five Eyes intelligence alliance have warned.

Microsoft was victim of the same breach and, more recently, the same threat actors hacked into its corporate mailboxes, stealing emails and attached documents.

"There is no human user behind them so they cannot be easily protected with multi-factor authentication, making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they're responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations," CISA noted.

APT29 has also been using stolen tokens, instead of passwords, to access victims' accounts, and managed to bypass multi-factor authentication by engaging in MFA bombing and taking advantage of consequent MFA fatigue.

"Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network," CISA warned.

"Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb," the agency concluded.

News URL

https://www.helpnetsecurity.com/2024/02/27/apt29-changing-techniques/

#breach #cloud