February 27th – A recent advisory from the U.K. National Cyber Security Centre (NCSC) and international partners highlights the recently developed tactics, techniques and procedures (TTPs) used by APT 29 (also known as Midnight Blizzard, the Dukes or Cozy Bear).
The U.S. National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS) and the New Zealand National Cyber Security Centre (NCSC) agree with the attribution and details.
Threat actor activity
This particular group of threat actors is targeting governmental, think tank, healthcare and energy targets for the purpose of gathering intelligence.
The threat actors may also be expanding their focus to include aviation groups, educational institutions, law enforcement, local and state councils, government financial departments and military organizations.
Evolving TTPS
To breach victims’ cloud-hosted networks, actors are authenticating to the cloud provider. Cyber security professionals who can deny initial access to the cloud environment can effectively prevent APT 29 from compromising the organization.
When it comes to the cloud, in contrast with an on-premise system, more of the network is generally exposed to threats.
Cloud-based token authentication
Account access is typically authenticated via either username and password credentials or system-issued access tokens. In this case, tokens have been used to access victims’ accounts, rendering passwords obsolete.
System-issued tokens have varied default validity times. However, cloud platforms should allow admins to adjust the validity time as appropriate for users. Further information about mitigations can be found below.
Mitigation
According to Check Point cyber security expert Muhammad Yahya Patel, the following mitigations can be applied:
1. Implement MFA to reduce the impact of password compromises.
2. Accounts that cannot use MFA should have strong, unique passwords. Regularly review and disable inactive or dormant accounts.
3. System and service accounts should have minimal access necessary to function.
4. Create dummy accounts that appear valid but are not used for legitimate services. Monitor and investigate any usage as potential illegitimate access.
5. Keep session token lifetimes short to reduce window of opportunity for misuse.
6. Configure policies to permit only authorized devices. Use strong 2SV for enrollment.
7. Diverse information sources to help investigate malicious behaviors.
For more insights, please click here. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.