February 27, 2024 at 04:56PM
The threat group “Midnight Blizzard,” associated with Russian intelligence services, has shifted tactics, targeting cloud environments at organizations. Strategies include exploiting automated cloud services accounts, dormant accounts, and using OAuth tokens and MFA bombing attacks for unauthorized access. Mitigations recommended include multifactor authentication, strong passwords, and least privilege principles for service accounts.
Key Takeaways from the Meeting Notes:
1. “Midnight Blizzard,” a threat group linked to Russian intelligence services, has evolved its tactics to target cloud environments at organizations, including leveraging automated cloud services accounts and dormant accounts for initial access.
2. UK’s National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory warning about this shift in tactics and recommended mitigations to prevent initial access from this threat actor.
3. Midnight Blizzard, also known as APT29, Cozy Bear, and Dukes, has been tied with high confidence to Russia’s SVR and has targeted a wide range of sectors, including software supply chain, healthcare, law enforcement, aviation, and military industries.
4. The threat actor has been exploiting vulnerabilities and other weaknesses to gain initial access, especially targeting cloud-native and cloud-hosted environments due to organizations’ shift towards cloud services.
5. Tactics employed by Midnight Blizzard include brute-force guessing and password spraying attacks, leveraging dormant accounts, illegal OAuth token usage, and registration of their own devices for persistent access.
6. Recommendations for organizations include implementing multifactor authentication, creating strong passwords for service accounts, applying least privilege principles, keeping authentication token lifetimes short, and establishing “canary” service accounts for unauthorized access detection.
These takeaways summarize the significant threats posed by Midnight Blizzard and the recommended security measures for organizations to safeguard against these tactics.