“Midnight Blizzard,” the threat group affiliated with the Russian Intelligence Services (SVR) and the entity behind the attacks on SolarWinds and organizations such as Microsoft and HPE, is exploiting automated cloud service accounts and dormant accounts to access the cloud environments of targeted organizations.
The attacks mark a significant shift in the threat actor’s (also known as APT29, Cozy Bear, and Dukes) tactics as it adapts to the growing adoption of cloud services by organizations in industries it has traditionally targeted.
A significant change
In an advisory Monday, the U.K National Center for Cyber Security (NCSC)in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA) and their counterparts in other countries, warned of the change in Midnight Blizzard’s tactics and the need for organizations to prevent the threat actor from gaining initial access to their cloud environments.
“For organizations that have moved to cloud infrastructure, a first line of defense against an actor like SVR should be to protect against SVR’s TTPs for initial access,” the advisory notes, while recommending mitigations against the threat .
The United States and others have linked Midnight Blizzard with a high degree of confidence to the Russian SVR, an active threat actor since at least 2009. The group initially drew attention for its intelligence-gathering attacks against government agencies, think tanks and organizations in the healthcare and energy sectors. In recent years, and especially since the SolarWinds attack, Midnight Blizzard has targeted numerous other organizations, including those in the software supply chain, healthcare research, law enforcement, aviation, and military industries. Recently Microsoft and HPE blamed the threat actor to penetrate their corporate email environments and access emails belonging to senior executives and key personnel.
In many of its previous attacks, Midnight Blizzard exploited software vulnerabilities and other network weaknesses to gain initial access to the targeted organization’s local IT infrastructure. But as many of its targets have shifted to cloud-native and hosted environments, the threat actor has been forced to pivot and target cloud services as well. “To access the majority of victims’ cloud-hosted network, actors must first successfully authenticate to the cloud provider,” the NCSC said.
Targeting dormant services and accounts
A common tactic used by Midnight Blizzard to achieve this is to use brute force attacks and password spraying attacks to gain access to cloud service accounts. These are typically automated, non-human accounts for managing cloud applications and services. Such accounts cannot be easily protected via two-factor authentication mechanisms and are therefore more susceptible to compromise and successful takeovers, the NCSC said.
But there’s another issue that makes the takeover of these accounts by threat actors particularly problematic. “Gaining access to these accounts provides threat actors with initial privileged access to a network, to launch further operations,” the NCSC warned. In many of these attacks, threat actors used legitimate residential IP addresses to launch their password spray attacks, making it difficult for defenders to spot the activity for what it was.
Another tactic used by Midnight Blizzard to gain initial access to a target cloud environment is to exploit dormant accounts belonging to users who may no longer work at the victim organization, but whose account may remain in the system, observe the notice. Sometimes, the threat actor regained access to a network from which they might have been booted by logging into inactive accounts and following instructions to reset their password.
Misusing authentication tokens
Other tactics used by Midnight Blizzard for initial cloud access include using Illegally obtained OAuth tokens to access victims’ accounts – and maintain persistence – without requiring a password, as well as using so-called Bombing of the Ministry of Foreign Affairs or fatigue of the Ministry of Foreign Affairs attacks to convince victims to authenticate them to a target account. Once the threat actor has gained access to a cloud environment, they often enroll their device in it to gain permanent access.
To mitigate the threat, organizations should use multi-factor authentication where possible, to reduce the impact of a password compromise, the NCSC said. In situations where it may be difficult to use a second factor of authentication, organizations should create strong passwords to protect service accounts. The NCSC also recommended that organizations implement the principle of least privilege for service accounts to limit what an attacker could do by misusing one.
Additionally, the advisory recommends keeping authentication token session durations as short as possible to limit what the threat actor could do with a stolen token and ensure that device enrollment policies do not allow device enrollment unauthorized in the cloud environment.
“Canary service accounts should be created that appear to be valid service accounts but are never used by legitimate services,” the advisory states. Misuse of such accounts is a clear sign of unauthorized access that requires immediate investigation.