One of Russia’s elite cyberespionage threat groups, APT29, has modified its hacking methods as the governments and corporations it spies on move more of their infrastructure into the cloud.
俄罗斯精英网络间谍威胁组织之一 APT29 已经修改了其黑客方法,因为其监视的政府和企业将更多基础设施转移到云端。
APT29, also known as Cozy Bear, Midnight Blizzard and Nobelium, has been identified by Western intelligence agencies as a unit of the Russian Foreign Intelligence Service (SVR).
APT29,也被称为 Cozy Bear、Midnight Blizzard 和 Nobelium,已被西方情报机构确定为俄罗斯对外情报局 (SVR) 的一个单位。
A new advisory from the UK’s National Cyber Security Centre (NCSC) warns the gang has evolved its tactics, techniques, and procedures (TTPs) to gain access more effectively to its victims’ cloud services.
英国国家网络安全中心 (NCSC) 发布的一份新公告警告称,该团伙已经改进了其策略、技术和程序 (TTP),以便更有效地访问受害者的云服务。
Two of the more infamous attacks attributed to APT29 were the 2016 Democratic National Committee hack and the 2020 supply chain compromise of SolarWinds software. More recently, it was held responsible for hacking the email accounts of Microsoft staff, including members of the company’s senior leadership team, and stealing SharePoint and email files from Hewlett Packard Enterprise.
APT29 造成的两起臭名昭著的攻击是 2016 年民主党全国委员会黑客攻击和 2020 年 SolarWinds 软件供应链受损。最近,它被指控入侵微软员工(包括公司高级领导团队成员)的电子邮件帐户,并窃取惠普企业的 SharePoint 和电子邮件文件。
The dangers of service accounts
服务帐户的危险
The NCSC advisory said APT29 was skilled at using brute forcing and password spraying attacks to access service accounts — accounts not tied to a specific individual that were typically used to run and manage applications and services. Because they were often accessed by more than one person within an organization, service accounts were harder to protect with multi-factor authentication (MFA).
NCSC 通报称,APT29 擅长使用暴力破解和密码喷射攻击来访问服务帐户,这些帐户不与特定个人绑定,通常用于运行和管理应用程序和服务。由于服务帐户通常由组织内多个人访问,因此更难通过多重身份验证 (MFA) 来保护服务帐户。
“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing,” the advisory said.
该咨询称:“服务帐户通常也享有很高的特权,具体取决于它们负责管理的应用程序和服务。”
“Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.”
“获得对这些帐户的访问权限为威胁行为者提供了对网络的特权初始访问权限,以发起进一步的操作。”
The NCSC said APT29 also targeted dormant accounts that remained on the system after users left an organization.
NCSC 表示,APT29 还针对用户离开组织后仍保留在系统上的休眠帐户。
“Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.”
“在事件期间对所有用户强制重置密码后,我们还观察到 SVR 参与者登录非活动帐户并按照说明重置密码。这使得攻击者能够在事件响应驱逐活动之后重新获得访问权限。”
The gang was also observed using a technique known as “MFA bombing” or MFA fatigue to repeatedly push MFA requests to a victim’s device until the victim accepts the notification.
据观察,该团伙还使用一种称为“MFA 轰炸”或 MFA 疲劳的技术,反复向受害者的设备推送 MFA 请求,直到受害者接受通知。
Initial access leaves victims exposed
初次访问使受害者暴露在外
“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant,” the advisory said.
该咨询称:“一旦攻击者绕过这些系统来访问云环境,SVR 攻击者就会将自己的设备注册为云租户上的新设备。”
“If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.”
“如果未设置设备验证规则,SVR 参与者可以成功注册自己的设备并获得网络访问权限。”
After gaining initial access, the gang was able to deploy “highly sophisticated post compromise capabilities” such as MagicWeb, a tool APT29 was observed deploying in 2022 that enabled members to maintain persistence within compromised systems and carry out espionage activities.
获得初步访问权限后,该团伙能够部署“高度复杂的入侵后功能”,例如 MagicWeb,据观察,APT29 于 2022 年部署了该工具,使成员能够在受感染的系统中保持持久性并开展间谍活动。
Patrick Tiquet, Keeper Security’s vice president of security and architecture, said APT29’s targeting of cloud services was emblematic of the evolving nature of cyber threats and the adaptability of malicious actors.
Keeper Security 安全与架构副总裁 Patrick Tiquet 表示,APT29 针对云服务的攻击象征着网络威胁不断变化的性质以及恶意行为者的适应性。
“Cloud environments present attractive targets due to the concentration of sensitive data and critical services,” he said.
“由于敏感数据和关键服务的集中,云环境成为有吸引力的目标,”他说。
Mitigating the risks of service accounts
降低服务帐户的风险
Tiquet said the type of generic service accounts APT29 targeted in its cloud-based attacks were often created by organizations for the sake of convenience and streamlined management, especially for automated processes within their cloud environments.
Tiquet 表示,APT29 基于云的攻击所针对的通用服务帐户类型通常是由组织为了方便和简化管理而创建的,特别是对于云环境中的自动化流程。
“However, the use of such generic accounts can introduce security vulnerabilities, and if compromised, can grant attackers broad access to critical resources. Additionally, they provide no visibility into who has logged in to the shared account.”
“但是,使用此类通用帐户可能会引入安全漏洞,如果受到威胁,攻击者可能会获得对关键资源的广泛访问权限。此外,它们无法显示谁登录了共享帐户。”
He said organizations should keep an accurate inventory of all service accounts so that they could be regularly audited, and removed or disabled when no longer required.
他表示,组织应该保留所有服务帐户的准确清单,以便定期对其进行审核,并在不再需要时将其删除或禁用。
In its advisory, the NCSC recommended organizations create “canary” service accounts that appeared valid but were never used for legitimate services.
NCSC 在其建议中建议各组织创建看似有效但从未用于合法服务的“金丝雀”服务帐户。
“Monitoring and alerting on the use of these accounts provides a high confidence signal that they are being used illegitimately and should be investigated urgently,” the agency said.
该机构表示:“对这些帐户的使用进行监控和警报提供了一个高度可信的信号,表明它们正在被非法使用,应立即进行调查。”
The NCSC advisory was issued jointly with the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and international partner cybersecurity agencies in Canada, Australia and New Zealand.
NCSC 警告是与美国国家安全局 (NSA)、网络安全和基础设施安全局 (CISA)、联邦调查局 (FBI) 以及加拿大、澳大利亚和新西兰的国际合作伙伴网络安全机构联合发布的。