SVR Cyber Actors Adapt Tactics for Initial Cloud Access

Summary:

The UK National Cyber Security Centre (NCSC) and international partners have released an advisory on the tactics, techniques, and procedures (TTPs) of APT29, a cyber espionage group attributed to the SVR (Russian intelligence services). The advisory provides an overview of recent TTPs deployed by APT29 to gain initial access into cloud environments and offers advice on detection and mitigation.

Key TTPs include:

1. Access via service and dormant accounts: APT29 uses brute forcing and password spraying to access service accounts, which are often highly privileged and not easily protected with multi-factor authentication (MFA).
2. Cloud-based token authentication: APT29 uses tokens to access accounts without needing a password, often exploiting default token validity times.
3. Enrolling new devices to the cloud: APT29 bypasses password authentication on personal accounts and then registers their own device as a new device on the cloud tenant, often using MFA bombing to get around MFA defenses.
4. Residential proxies: APT29 uses residential proxies to hide the true source of traffic, making it harder to detect malicious connections.

To mitigate these TTPs, organizations should:

1. Use multi-factor authentication
2. Implement strong, unique passwords for all accounts
3. Disable inactive/dormant accounts and manage access with a "joiners