Five Eyes Agencies Expose APT29’s Evolving Cloud Attack Tactics

Cybersecurity and intelligence companies from the Five Eyes nations have unveiled a joint advisory detailing the evolving ways of the Russian state-sponsored threat actor known as APT29.

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Overseas Intelligence Provider (SVR) of the Russian Federation.

Formerly attributed to the offer chain compromise of SolarWinds program, the cyber espionage team captivated focus in the latest months for focusing on Microsoft, Hewlett Packard Organization (HPE), and other businesses with an purpose to even more their strategic objectives.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

“As corporations go on to modernize their methods and go to cloud-based mostly infrastructure, the SVR has tailored to these alterations in the working setting,” in accordance to the security bulletin.

These include –

• Obtaining access to cloud infrastructure by means of provider and dormant accounts by signifies of brute-force and password spraying attacks, pivoting away from exploiting program vulnerabilities in on-premise networks

• Working with tokens to access victims’ accounts with no the will need for a password

• Leveraging password spraying and credential reuse tactics to seize control of private accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their possess product to gain obtain to the network

• Creating it more challenging to distinguish malicious connections from regular users by making use of household proxies to make the destructive visitors look as if it is originating from IP addresses within just internet services service provider (ISP) ranges made use of for household broadband shoppers and conceal their true origins

“For organizations that have moved to cloud infrastructure, the first line of protection in opposition to an actor these types of as SVR must be to guard towards SVR’ TTPs for preliminary access,” the agencies reported. “As soon as the SVR gains original accessibility, the actor is able of deploying hugely advanced post compromise abilities this kind of as MagicWeb.”

Located this report intriguing? Abide by us on Twitter  and LinkedIn to read through far more exclusive information we article.