Russian state hackers swap malware with cloud-based attacks
With their common tactics exposed, Moscow-controlled hackers set their aims on cloud service providers, ripe with invaluable credentials.
Russian adversaries increasingly focus on targeting the cloud environment, Crowdstrike’s Global Threat Report on Cloud Security revealed.
Fancy Bear, a Russian adversary associated with Russia’s Main Intelligence Directorate (GRU), used to rely on malware-based spear-phishing attacks, the report claims. However, with their tactics exposed by the US Department of Justice (DoJ), hackers have refocused their attention on cloud service providers.
Since Fancy Bear’s primary source of intelligence comes from various credential harvesting practices that allow penetrating target organizations and individuals, it’s no surprise that the main targets are cloud-based email providers.
According to the report, Fancy Bear focused their attention on service providers such as Microsoft 365, Google’s GSuite, as well as webmail providers that individuals usually use.
Meanwhile, Cozy Bear, Russia’s state-sponsored hacker group controlled by the Federal Security service (FSB), has been busy snooping for ways to bypass multifactor authentication (MFA) practices their victims employ.
Report’s authors claim that Cozy Bear has been very effective in successful lateral movement operation within the cloud environments their tools penetrate. Crowdstrike’s researchers noted hackers using authentication cookies that allowed them to slit through MFA restrictions.
With the right keys, hackers manage to access user accounts in possession of enterprise cloud service privileges, allowing further movement deeper into the cloud. Researchers note that high on success, Cozy Bear affiliates will continue to focus on users with admin privileges in cloud environments.
RCE in the focus
According to the report, state and financially driven threat actors look for a quick buck by opportunistically exploiting known remote code execution (RCE) vulnerabilities in server software.
Malicious actors scan for vulnerable servers without focusing on specific sectors or regions. Once initial access is established, threat actors deploy various tools for lateral movement.
Meanwhile, targeted attacks focus a lot on credential-based intrusions. Fraudsters host fake authentication pages to harvest legitimate authentication credentials for cloud services.
Report’s authors claim that threat actors haven’t forgotten about malware either. Adversaries extensively use cloud services to deliver malware to evade signature-based detections as top-level domains of cloud hosting services are often trusted by many networks.
Threat actors also leverage improperly configured templates for creating cloud containers or Docker images. The worst part about infected Docker images is that every single container derived from a malicious image will also be infected.
CrowdStrike even discovered a Docker-specific malware family dubbed ‘Doki’ that focuses specifically on cloud-based attacks for lateral movement within the infected systems.
More from Cybernews:
Subscribe to our newsletter