Beat the bear's cloud incursions with canaries says Five Eyes

Service accounts, MFA bombing and residential proxies are being widely deployed by APT29.

Beat the bear's cloud incursions with canaries says Five Eyes
A canary rescuscitator. Credit: Science Museum Group Collection

Public and private sector organizations’ steady shift to the cloud has prompted Russia’s foreign intelligence service (SVR) to adapt its tactics, techniques, and procedures, according to the UK’s NCSC says.

But many of its incursions could be thwarted with best practice security hygiene and tools like canary tokens, a new advisory from the NCSC and Five Eyes partners in the US, Australia, Canada, and New Zealand says.

The security partnership also said SVR actors have expanded their targets beyond governments, think tanks, healthcare, and energy to include military organizations and government finance departments, as well as aviation, education, law enforcement and local/regional councils.

The guidance focuses on APT29 – aka Cozy Bear, Midnight Blizzard, and the Dukes – which the NCSC say is “almost certainly part of the SVR”. But we can assume it applies to more detached operators too.

Organizations’ shift to the cloud means that the SVR has had to move beyond its traditional entry techniques, such as exploiting software vulnerabilities in on-premises infrastructure or traditional phishing. This typically means authenticating to the cloud provider, and the guidance details various ways in which SVR actors are achieving this.

This includes “brute forcing and password spraying” to hijack service accounts, which are usually both highly privileged, and not associated with a human user, making MFA protection difficult. Dormant accounts – for instance, when a worker leaves an organization – are another key target, with SVR actors forcing password resets to gain access.

Other favoured techniques include stealing access tokens to bypass password protection, and registering new devices to personal accounts, once SVR actors have carried out password spraying or MFA bombing.

This is all complemented by the use of residential proxies to keep malicious connections covert and avoid detection by network defences.

The NCSC notes that the techniques listed are “are similar” to those highlighted by Microsoft last month, when it disclosed a “nation state attack” on its corporate systems, attributed to Midnight Blizzard.

Suggested techniques for countering these attacks includes the use of MFA, or where that is not possible, strong unique passwords, together with a “joiners, moves and leavers” process.

NCSC also recommends the use of “canary service accounts”, which appear to be valid but which are never used. Any activity on these “provides a high confidence signal that they are being used illegitimately and should be investigated urgently.”

Join peers following The Stack on LinkedIn

The Stack is happy to point readers towards Thinkst's canarytokens.org, a free resource that lets end users run canarytokens for numerous file formats and even network resources such as DNS records or unique web URLs. It also furnishes cloud tokens to use as decoys. Documentation is here. It provides both an AWS API key Canarytoken and an Azure Login Certificate Token. Needless to say, this is not a proxy for a full and rigorous cloud security posture, but a useful tool in the toolkit.

As Thinkst put it in 2023 that "as with all tokens, you can sprinkle Azure tokens throughout your environment and receive high fidelity notifications whenever they’re used. Place one on your CTO’s laptop, or on every server in your fleet. When attackers breach that laptop, or servers, or machine, they’ll search for useful credentials and discover the Azure tokens. Such juicy credentials are too tempting to ignore, and when they try them, you’ll be alerted to the compromise."