The Cybersecurity & Infrastructure Security Agency (CISA) recently announced that cyberattackers are evolving techniques to gain initial cloud access. The advisory discusses the recent adjustments made by the group APT29, also known as the Dukes, Cozy Bear or Midnight Blizzard. 

Previously, these attackers sought out on-premises networks when attempting to exploit vulnerabilities. However, as organizations have moved toward cloud infrastructure, malicious actors have shifted to attack cloud services directly. The CISA warns that this adjustment warrants an evolving approach to cybersecurity.  

Security leaders weigh in 

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:

“CISA highlighting SVR actors targeting cloud infrastructure underscores the evolving nature of cyber threats and the adaptability of malicious actors. Organizations often create generic service accounts for the sake of convenience and streamlined management, especially for automated processes within their cloud environments. However, the use of such generic accounts can introduce security vulnerabilities, and if compromised, can grant attackers broad access to critical resources. Additionally, they provide no visibility into who has logged in to the shared account. 

It’s important that organizations keep an accurate inventory of all service accounts so that they can be regularly audited. This can help identify service accounts that are no longer in use so that they can be removed or disabled before becoming a security risk. A secure password manager can also help organizations mitigate risk by providing secure sharing capabilities. Access can be controlled and updated with fine-tuned granularity, and service account passwords can be updated as needed.  With the use of privileged access management, passwords can even be set to automatically rotate at specified intervals, further protecting service accounts that cannot readily be secured with MFA.

The targeting of cloud services by threat actors is not surprising given the increasing reliance on cloud infrastructure by organizations. Cloud environments present attractive targets due to the concentration of sensitive data and critical services. The alert serves as a reminder for administrators to always ensure they’re using a secure vault and secrets management solution and installing necessary patches and critical updates immediately. They should also check their cloud console’s security controls to ensure they’re following the latest recommendations.” 

Jason Soroko, Senior Vice President of Product at Sectigo:

“Machines need to authenticate to machines and forms of authentication that were meant for human beings are not well suited. Many generic service accounts are setup for authentication by various forms of workloads that are headless, or without human interaction. There are better credential form factors for strong machine-to-machine authentication and one of those takes the form of a digital certificate. It can be tied to the identity of a device or workload and doesn’t rely on a shared secret, such as a username/password.”