Overkill Security

The document titled “cyber actors adapt tactics for initial cloud access” released by the National Security Agency (NSA) warns of use of cyber actors have adapted their tactics to gain initial access to cloud services, as opposed to exploiting on-premise network vulnerabilities.

Awareness and Understanding: The document raises awareness about the shift in tactics towards cloud services, which is crucial for organizations to understand the current threat landscape.

📌Detailed TTPs: It provides detailed information on the tactics, techniques, and procedures (TTPs) used by actors, including the use of service and dormant accounts, which can help organizations identify potential threats and vulnerabilities.

📌Sector-Specific Insights: The document outlines the expansion of targeting to sectors such as aviation, education, law enforcement, and military organizations, offering sector-specific insights that can help these industries bolster their defenses.

📌Mitigation Strategies: It offers practical mitigation strategies that organizations can implement to strengthen their defenses against initial access by actors, such as implementing MFA and managing system accounts.

📌Emphasis on Fundamentals: The advisory emphasizes the importance of cybersecurity fundamentals, which can help organizations establish a strong baseline defense against sophisticated actors.

📌Global Supply Chain Relevance: The document references the actors’ involvement in the SolarWinds supply chain compromise, highlighting the global implications of such cyber espionage activities.

📌Resource Intensity: Implementing the recommended mitigations may require significant resources, which could be challenging for smaller organizations with limited cybersecurity budgets and personnel.

Rutube, VK

Also, audio podcast available on Mave (or check out other platforms)

In the contemporary cybersecurity landscape, marked by the sophisticated operations of actors, the importance of adhering to cybersecurity fundamentals cannot be overstated. While advanced threats continue to evolve, leveraging cutting-edge tactics, techniques, and procedures (TTPs), a strong foundation in cybersecurity fundamentals remains a critical line of defense for organizations across all sectors. This foundational approach to cybersecurity emphasizes the implementation of best practices, policies, and controls that are designed to protect against a wide range of threats, including those from highly sophisticated adversaries.

📌Access Control: Ensuring that only authorized users have access to information systems and data, and that they are only able to perform actions that are necessary for their role.

📌Data Encryption: Protecting data at rest and in transit through encryption, making it unreadable to unauthorized users.

📌Patch Management: Regularly updating software and systems to address vulnerabilities and reduce the risk of exploitation.

📌Firewalls and Intrusion Detection Systems (IDS): Implementing firewalls to block unauthorized access and IDS to monitor network traffic for suspicious activity.

📌Multi-Factor Authentication (MFA): Requiring users to provide two or more verification factors to gain access to systems, significantly enhancing security.

📌Security Awareness Training: Educating employees about cybersecurity risks and best practices to prevent social engineering attacks and other threats.

The actors according to document “cyber actors adapt tactics for initial cloud access” has demonstrated a high level of sophistication in its cyber operations, reflecting a deep understanding of the global cyber landscape and an ability to adapt and innovate in the face of evolving security measures. This sophistication is not only evident in the technical capabilities but also in their strategic approach to cyber espionage, which involves careful target selection, meticulous planning, and the use of advanced tactics, techniques, and procedures (TTPs).

Cyber operations are characterized by the use of custom malware and zero-day vulnerabilities—previously unknown software vulnerabilities that haven't been disclosed to the software maker or the public. The exploitation of these vulnerabilities allows them to infiltrate target networks undetected. An example of this is the SolarWinds supply chain attack, where is believed to have compromised the software development process to insert malicious code into a software update, affecting thousands of SolarWinds' clients, including government agencies and Fortune 500 companies.

Operational security (OpSec) is a hallmark of operations, with the agency going to great lengths to cover its tracks and maintain stealth within compromised networks. This includes the use of encrypted channels for exfiltrating data, the careful management of command-and-control servers to avoid detection, and the use of legitimate tools and services (a technique known as "living off the land") to blend in with normal network activity. The ability to maintain a low profile within target networks often allows them to conduct long-term espionage operations without detection.

Beyond technical capabilities, it has shown adeptness in psychological and social engineering tactics. These methods are designed to manipulate individuals into divulging sensitive information or performing actions that compromise security. Phishing campaigns, spear-phishing, and other forms of social engineering are frequently used to gain initial access to target networks or to escalate privileges once inside.

The exploitation of service and dormant accounts by cyber actors represents a sophisticated and often overlooked vector of cyber-attacks. These accounts, which are created for various operational purposes within an organization's cloud and on-premises environments, can provide attackers with the access they need to carry out their objectives if not properly managed and secured.

Understanding Service and Dormant Accounts

Service accounts are specialized accounts used by applications or services to interact with the operating system or other services. They often have elevated privileges to perform specific tasks and may not be tied to an individual user's identity. Dormant accounts, on the other hand, are user accounts that are no longer actively used, either because the user has left the organization or the account's purpose has been fulfilled. These accounts are particularly risky because they are frequently forgotten, left with more privileges than necessary, and not monitored as closely as active user accounts.

📌Elevated Privileges: Service accounts often have elevated privileges necessary for system tasks, which can be exploited to gain wide access to an organization's network.

📌Lack of Monitoring: Dormant accounts are not regularly used, making them less likely to be monitored for suspicious activity, and thus an attractive target for attackers.

📌Weak or Default Credentials: Service accounts may be configured with weak or default credentials that are easier for attackers to guess or find through brute force attacks.

📌Bypassing User Behavior Analytics: Since service accounts perform automated tasks, their behavior patterns can be predictable, allowing malicious activities to blend in with normal operations and evade detection.

The strategic expansion of targeting by cyber actors to a broader range of sectors is a concerning development in the realm of global cybersecurity. This diversification of targets reflects a calculated approach by these actors to exploit the interconnected nature of modern industries and the increasing reliance on cloud services across various sectors.

The expansion into sectors such as aviation, education, law enforcement, local and state councils, government financial departments, and military organizations demonstrates their intent to gather intelligence from a wide spectrum of sources. This broad targeting strategy suggests that the is not only interested in traditional national security-related information but also in acquiring a diverse set of data that could provide economic, political, or technological advantages.

📌Aviation: The aviation industry involves a complex ecosystem of airlines, airports, manufacturers, and support services, all of which handle sensitive data related to national security, safety, and proprietary technology.

📌Education: Universities and research institutions are rich sources of cutting-edge research and intellectual property. They are often targeted for their groundbreaking work in science, technology, and defense-related areas.

📌Law Enforcement: Law enforcement agencies hold sensitive data on criminal investigations, national security matters, and personal information of citizens, making them a high-value target for espionage.

📌Local and State Councils: Local and state government entities manage critical infrastructure, citizen services, and have access to vast amounts of personal data, which can be exploited for various malicious purposes.

In the evolving landscape of cybersecurity, the adaptation of cyber actors to target cloud services underscores a pivotal shift in the tactics of cyber espionage. This transition from exploiting on-premises network vulnerabilities to directly targeting cloud-based infrastructures marks a significant evolution in cyber threats. At the heart of this shift is the critical role of authentication as a key step in securing cloud-hosted networks against sophisticated cyber actors.

Authentication serves as the gateway to cloud services, determining whether access should be granted to a user or system. In cloud environments, where resources and data are hosted off-premises and accessed over the internet, the importance of robust authentication mechanisms cannot be overstated. Unlike traditional on-premises setups, where physical security measures and internal network defenses can provide layers of security, cloud services are inherently more exposed to the internet. This exposure makes the initial step of authentication not just a security measure, but a critical defense mechanism against unauthorized access.

The shift towards cloud services brings with it unique challenges in implementing effective authentication strategies. One of the primary challenges is the diverse and dynamic nature of cloud environments. Users access cloud services from various locations, devices, and networks, necessitating flexible yet secure authentication mechanisms that can adapt to different contexts without compromising security.

Moreover, the scalability of cloud services means that authentication mechanisms must be able to handle a large number of access requests without introducing significant latency or reducing the user experience. This requirement for scalability and user-friendliness often conflicts with the need for stringent security measures, creating a delicate balance that organizations must navigate.

The shift in focus by cyber actors to cloud services has brought the importance of securing initial access to the forefront of cybersecurity efforts. In cloud environments, initial access represents the critical juncture at which the security of the entire system is most vulnerable. Unlike traditional on-premises networks, where multiple layers of security can be deployed, cloud services are accessed over the internet, making the initial point of entry a prime target for attackers.

Gaining initial access to cloud services allows attackers to establish a foothold within the target environment. From this position, they can potentially escalate privileges, move laterally across the network, and access sensitive data. The distributed nature of cloud services also means that compromising a single account can have far-reaching consequences, potentially giving attackers access to a wide array of resources and data.

📌Remote Access: Cloud services are designed to be accessed remotely, which inherently increases the attack surface. Remote access points must be secured against unauthorized entry while still providing legitimate users with the necessary access.

📌Identity and Access Management (IAM): In cloud environments, IAM becomes a critical component of security. Organizations must ensure that IAM policies are robust and that permissions are granted based on the principle of least privilege to minimize the risk of initial access by unauthorized entities.

📌Phishing and Social Engineering: Attackers often use phishing and social engineering tactics to gain initial access. These methods exploit human factors rather than technical vulnerabilities, making them difficult to defend against with traditional security measures.

Key TTPs of document “cyber actors adapt tactics for initial cloud access"

📌Credential Access / T1110 Brute Forcing: actors utilize password spraying and brute forcing as initial infection vectors. This approach involves attempting multiple passwords against different accounts (password spraying) or numerous password attempts on a single account (brute forcing) to gain unauthorized access.

📌Initial Access / T1078.004 Valid Accounts: Cloud Accounts: The actors gains access to cloud services by using compromised credentials. This includes targeting both system accounts (used for automated tasks and services) and dormant accounts (inactive accounts that still remain on the system).

📌Credential Access / T1528 Steal Application Access Token: Actors exploit stolen access tokens to log into accounts without needing the passwords. Access tokens are digital keys that allow access to user accounts, and obtaining these can bypass traditional login mechanisms.

📌Credential Access / T1621 Multi-Factor Authentication Request Generation: Known as 'MFA bombing' or 'MFA fatigue,' this technique involves actors repeatedly sending MFA requests to a victim's device. The goal is to overwhelm or fatigue the victim into accepting the request, thus granting the attacker access.

📌Command and Control / T1090.002 Proxy: External Proxy: To maintain covert operations and blend in with normal traffic, actors use open proxies located in residential IP ranges. This makes malicious connections harder to distinguish from legitimate user activity in access logs.

📌Persistence / T1098.005 Account Manipulation: Device Registration: After gaining access to accounts, actors attempt to register their own devices on the cloud tenant. Successful device registration can provide persistent access to the cloud environment.

The adaptation of attacks to target cloud services marks a significant evolution in the landscape of cyber espionage and cyber warfare. This shift is not merely a change in target but represents a deeper strategic adaptation to the changing technological environment and the increasing reliance of governments and corporations on cloud infrastructure. The move towards cloud services by organizations is driven by the benefits of scalability, cost-efficiency, and the ability to rapidly deploy and update services. However, this transition also presents new vulnerabilities and challenges for cybersecurity.

As organizations have modernized their systems and migrated to cloud-based infrastructure, actors have adapted their tactics, techniques, and procedures (TTPs) to this new environment. This adaptation is driven by the realization that cloud services, by centralizing vast amounts of data and resources, present a lucrative target for espionage and intelligence gathering. The cloud's architecture, while offering numerous advantages to organizations, also necessitates a reevaluation of security strategies to address unique vulnerabilities.

The adaptation of actors to cloud services involves a range of sophisticated TTPs designed to exploit the specific characteristics of cloud environments. One of the primary methods of gaining initial access to cloud-hosted networks involves authenticating to the cloud provider. This can be achieved through various means, including brute forcing and password spraying to access services and dormant accounts. These accounts, often used to run and manage applications without direct human oversight, are particularly vulnerable as they may not be protected by multi-factor authentication (MFA) and may possess high levels of privilege.

Furthermore, actors have been observed using system-issued tokens for authentication, bypassing the need for passwords. They have also exploited the process of enrolling new devices to the cloud, bypassing MFA through techniques such as "MFA bombing" or "MFA fatigue." Additionally, the use of residential proxies to obscure their internet presence and make malicious activity harder to detect represents another layer of sophistication in their operations.