Five Eyes top agencies issue warning that Russian hackers are targeting the cloud — and the human factor is once again to blame
The Five Eyes alliance, formed of intelligence agencies from the UK, US, Australia, Canada, and New Zealand, have issued a warning that Russian hacker groups are switching to cloud services as their choice of target.
The joint advisory states that instead of attempting to access on-prem infrastructure, threat actors are shifting their hunting grounds to cloud based environments.
The access methods chosen by the hackers remain largely the same, with password spraying and brute force attacks accounting for many cloud breaches in recent years.
A Russian storm is gathering in the cloud
The advisory states that threat actors have followed businesses as they shifted to the cloud as part of the business transformation trend to do business in the cloud. Therefore, “[threat actors] have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.”
Several federal agencies including the US Department of State were breached by Russian hacker group APT29 (CozyBear, MidnightBlizzard, TheDukes) as a result of the SolarWinds attack three years ago, in which compromised SolarWind software was distributed in an automatic software update to around 18,000 customers.
One of the most lucrative forms of cloud access exists in the form of dormant organization accounts that retain access privileges that have not been revoked when an employee has left the organization. The hackers can also exploit stolen access tokens to bypass credentials and multi-factor authentication (MFA), or hijack devices using password resets.
A particular trademark of Russian-backed hackers in the use of the MagicWeb malware once access is obtained. This malware allows the hackers to disguise themselves as a legitimate user within the organization’s infrastructure.
The advisory also issued a number of mitigation and detection techniques:
- Utilizing 2FA or MFA as part of account access
- Using strong and unique passwords, and disabling accounts that are no longer active
- Restricting user access to just the applications and files needed to perform their duties
- Creating early warning accounts known as ‘Canary accounts’, which appear to be legitimate but are never used for any purpose. Therefore, when used, they alert the system to an unauthorized user.
- Establish minimal session lifetimes as standard practice to reduce the window of opportunity available to threat actors.
- Only allow authenticated devices to enroll in the organization, and perform frequent sanitization of old devices.
- Use a wide range of information sources to identify intrusions, rather than just focusing on one (User agent string changes rather than suspicious IP connections).
Via BleepingComputer
More from TechRadar Pro
The Five Eyes alliance, formed of intelligence agencies from the UK, US, Australia, Canada, and New Zealand, have issued a warning that Russian hacker groups are switching to cloud services as their choice of target. The joint advisory states that instead of attempting to access on-prem infrastructure, threat actors are…
Recent Posts
- ChatGPT o1 goes live and promises to solve all our science and math problems
- Sundar Pichai says Google Search will ‘change profoundly’ in 2025
- NASA’s mission to return humans to the Moon has been delayed again until 2026
- Microsoft’s Copilot can now browse the web with you, if you’re in the early preview
- A hardware security module designed for the cloud: Microsoft’s Azure Integrated HSM aims to significantly reduce network access latencies without compromising security
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011