Microsoft announced this week that the Russian hacking crew APT 29 (aka Nobelium) was detected targeting cloud service providers in an attempt to reach those organizations’ customers as part of a supply chain attack.
If it sounds like the boys and girls over at the SVR are up to their old tricks, following up from the headline-splashing SolarWinds hacks, you’d be wrong.
They never stopped hacking.
While we were watching ransomware crews hit just about everything connected to the internet, Russia’s state-employed hackers were hard at work trying to get their shells into various segments of the digital supply chain.
By gaining access to the upstream service providers that resell or provide managed services for Microsoft products, these hackers situated themselves into a pretty desirable position for working their way into the better-defended targets further downstream. These targets include research facilities, US government bodies, defense contractors, and other strategic orgs that every state actor worth their salt should have on their list.
It’s All in the (Spy) Game
An important point that needs to be remembered is that these are not bad actors. These are state actors, doing what they were hired to do — namely break into rival nations’ systems and steal information.
Dmitri Alperovitch said it succinctly in a recent tweet when he wrote that:
If anyone is surprised that SVR is still engaging in espionage, they should check the mission statement of intelligence agencies.
SolarWinds/HolidayBear campaign (going after hard targets via IT/cybersecurity companies) was a tactical direction shift, not a one-off operation
— Dmitri Alperovitch (@DAlperovitch) October 25, 2021
Put even a little bit more plainly: It’s all in the game.
And the Nobelium crew played the game pretty well when they hacked SolarWinds last year, using an impressive hacking technique to create new admin users in Microsoft’s Azure AD.
And who doesn’t love a good spy game. But once we take a closer look at these attacks, we see that this time around, the attacks were more brute force than finesse. Using the time tested practice of password spraying, the attackers were able to compromise accounts at the resellers and managed service providers.
From there, it appears that they actually did very little of what we would consider hacking — even by the standards of a certain governor from Missouri.
Details About the Attack
Based on Microsoft’s statement, it would seem that APT 29 mostly focused on using the access granted to them by the cloud services, counting mostly on the poor access control practices of their targets to reach where they were headed.
They were able to use the wide reaching access granted to highly privileged accounts that they compromised at the initial point of entry to then undermine the trusted relationships with the end targets, breaching them without raising a lot of red flags.
One point that stood out here was how the report showed that the attackers exploited the compromised accounts’ external access to their target’s assets.
They cite how:
These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns.
The TLDR/takeaway here is that privileged admin access was unmonitored and left active unless someone had the presence of mind to revoke that access.
Given the rate and scale of sharing access with external organizations, there were probably plenty of opportunities for the hackers to take advantage of these oversights with their compromised credentials.
For the full write up, check out Microsoft’s blog post. They offer some fairly detailed resources, as well as info on how service providers can get two free years of Azure Active Directory Premium 2.
But for a couple of valuable tips for mitigating your risk from compromise, check out our list here below.
3 Tips for Mitigating Access Control Risks
The TTPs used in this operation may not have been what we think of as sophisticated for a state actor, but they are exceedingly effective. The techniques used here are the same that criminal hacking crews use on the daily.
All of these actors rely on their targets failing to take the basic measures to protect themselves, and in many cases, end up on top not because they were so good but because organizations are so far behind.
The good news from this story is that there is evidence from Microsoft that those organizations that took steps to secure their access control were able to halt many of these attacks in their tracks.
Thankfully, there are more than a couple of ways to avoid being easy pickings for these vultures.
Turning on multi-factor authentication for users is step one in identity security. Especially for admins whose privileges make them highly desirable targets.MFA is especially effective against password spraying because it means that the attacker has to not only compromise your credentials, but your device as well.According to Microsoft, enabling MFA will help to prevent 99.9% of attacks, which are probably the best odds that you’ll ever get when it comes to risk mitigation. MFA isn’t perfect and a good social engineer can manipulate themselves around it, but those cases are extraordinary.
Using the right kinds of MFA also matters. Avoid using SMSes in favor of an app-based solution like Duo, Microsoft, Google, and plenty of others. These apps will help you to avoid SIM-swapping attacks and will work when traveling abroad.
Revoke Unused Access Permissions
This one is harder than it sounds.Sharing access to documents, environments, apps, and other valuable resources is a pretty common practice. But once that access has been granted, it is rare that folks remember to close it off.Maybe they want to leave it open in case they need it later or don’t want to bother with having to resend the permission. Either way, it leaves openings that an attacker can take advantage of.
The challenge here is identifying which assets are externally accessible, who has access to them, and if/how those permissions are being used.
If those permissions are not being used, then revoke them. It is always easier to request access again if needed than deal with the aftermath of a breakin because someone left the side door open.
Think about it like: You don’t use it, you lose it.
Managing the scale of monitoring the usage of these permissions requires tools that not only have visibility over identities and assets, and the interaction between them, but can detect when an asset is exposed externally.
Secure Privileged Identities and Assets
Ideally every last nut and bolt in your organization should be sealed tighter than a submarine. But some areas are still going to be more important than others.Even if you are ensuring Least Privilege with most of your identities, you are still likely to have some identities that have a higher level of privilege because their jobs really do call for it. These admins and others need us to step it up a notch with our protection and monitoring.
- As noted before, be sure to enable MFA for all of these accounts.
- Make sure that they are being monitored for appropriate permission usage.
- Use guardrails to alert on violations of your security policies.
Robotic identities/service accounts often have high levels of privileges to perform their tasks but are generally not monitored.
According to our research, robotic identities are:
- 20% of the identities in an organization
- 55% have unused privileges
- 30% have admin privileges
- 80% are inactive
This is a risky combination of statistics, making them great targets for attackers to exploit. Add to this the fact that nobody ever thought to run an access review for the robots. Doing them for the living breathing humans is hard enough.
If you are not using automated, continuous tools to monitor your human and machine identities, then you simply will not be able to enact the stringent controls required for these privileged and risky accounts.
Reading the coverage of this story in the New York Times, two quotes stood out to me.
The first was from John Hulquist, the VP of Mandiant, when he said that, “Spies are going to spy, but what we’ve learned from this is that the S.V.R. (the Russian foreign intelligence agency), which is very good, isn’t slowing down.”
States, criminals, and everyone else in between are going to continue to target organizations in the cloud because that’s where we are collectively moving our data. It’s like the old joke about why bank robbers rob banks. Because that’s where the money is.
All of these actors want to be where the juicy data is, and they will keep going after the infrastructure that we are all using to get it. It is what it is, but it is also up to do more to protect ourselves.
This is in no small part because there is little that the government is able to do to prevent these types of attacks.
An unnamed US government official speaking to the Times said it well, stating that, “We can do a lot of things, but the responsibility to implement simple cybersecurity practices to lock their — and by extension, our — digital doors rests with the private sector.”