AdaptTactics' Advisory: The Art of Cloud Sneakery

The ‎document‏ ‎titled ‎“cyber ‎actors ‎adapt ‎tactics‏ ‎for ‎initial‏ ‎cloud‏ ‎access” ‎released ‎by‏ ‎the ‎National‏ ‎Security ‎Agency ‎(NSA) ‎warns‏ ‎of‏ ‎use ‎of‏ ‎cyber ‎actors‏ ‎have ‎adapted ‎their ‎tactics ‎to‏ ‎gain‏ ‎initial ‎access‏ ‎to ‎cloud‏ ‎services, ‎as ‎opposed ‎to ‎exploiting‏ ‎on-premise‏ ‎network‏ ‎vulnerabilities.

This ‎shift‏ ‎is ‎in‏ ‎response ‎to‏ ‎organizations‏ ‎modernizing ‎their‏ ‎systems ‎and ‎moving ‎to ‎cloud-based‏ ‎infrastructure. ‎The‏ ‎high-profile‏ ‎cyber ‎campaigns ‎like‏ ‎the ‎SolarWinds‏ ‎supply ‎chain ‎compromise ‎are‏ ‎now‏ ‎expanding ‎to‏ ‎sectors ‎such‏ ‎as ‎aviation, ‎education, ‎law ‎enforcement,‏ ‎local‏ ‎and ‎state‏ ‎councils, ‎government‏ ‎financial ‎departments, ‎and ‎military ‎organizations.

The‏ ‎stark‏ ‎reality‏ ‎is ‎that‏ ‎to ‎breach‏ ‎cloud-hosted ‎networks,‏ ‎these‏ ‎actors ‎need‏ ‎only ‎to ‎authenticate ‎with ‎the‏ ‎cloud ‎provider,‏ ‎and‏ ‎if ‎they ‎succeed,‏ ‎the ‎defenses‏ ‎are ‎breached. ‎The ‎document‏ ‎highlights‏ ‎a ‎particularly‏ ‎disconcerting ‎aspect‏ ‎of ‎cloud ‎environments: ‎the ‎reduced‏ ‎network‏ ‎exposure ‎compared‏ ‎to ‎on-premises‏ ‎systems ‎paradoxically ‎makes ‎initial ‎access‏ ‎a‏ ‎more‏ ‎significant ‎linchpin.

Over‏ ‎the ‎past‏ ‎year, ‎the‏ ‎TTPs‏ ‎observed ‎have‏ ‎been ‎alarmingly ‎simple ‎yet ‎effective,‏ ‎with ‎the‏ ‎cyber‏ ‎actors ‎exploiting ‎service‏ ‎and ‎dormant‏ ‎accounts ‎through ‎brute ‎force‏ ‎attacks.‏ ‎The ‎document‏ ‎offers ‎a‏ ‎cold ‎comfort ‎implies ‎a ‎race‏ ‎against‏ ‎time ‎to‏ ‎fortify ‎their‏ ‎defenses ‎against ‎these ‎TTPs ‎to‏ ‎prevent‏ ‎initial‏ ‎access.

Keypoints

📌Adaptation ‎to‏ ‎Cloud ‎Services:‏ ‎Cyber ‎actors‏ ‎have‏ ‎shifted ‎their‏ ‎focus ‎from ‎exploiting ‎on-premises ‎network‏ ‎vulnerabilities ‎to‏ ‎directly‏ ‎targeting ‎cloud ‎services.‏ ‎This ‎change‏ ‎is ‎a ‎response ‎to‏ ‎the‏ ‎modernization ‎of‏ ‎systems ‎and‏ ‎the ‎migration ‎of ‎organizational ‎infrastructure‏ ‎to‏ ‎the ‎cloud.

📌Authentication‏ ‎as ‎a‏ ‎Key ‎Step: ‎To ‎compromise ‎cloud-hosted‏ ‎networks,‏ ‎cyber‏ ‎actors ‎must‏ ‎first ‎successfully‏ ‎authenticate ‎with‏ ‎the‏ ‎cloud ‎provider.‏ ‎Preventing ‎this ‎initial ‎access ‎is‏ ‎crucial ‎for‏ ‎stopping‏ ‎from ‎compromising ‎the‏ ‎target.

📌Expansion ‎of‏ ‎Targeting: ‎Cyber ‎actors ‎have‏ ‎broadened‏ ‎their ‎targeting‏ ‎to ‎include‏ ‎sectors ‎such ‎as ‎aviation, ‎education,‏ ‎law‏ ‎enforcement, ‎local‏ ‎and ‎state‏ ‎councils, ‎government ‎financial ‎departments, ‎and‏ ‎military‏ ‎organizations.‏ ‎This ‎expansion‏ ‎indicates ‎a‏ ‎strategic ‎diversification‏ ‎of‏ ‎targets ‎for‏ ‎intelligence ‎gathering.

📌Use ‎of ‎Service ‎and‏ ‎Dormant ‎Accounts: it‏ ‎highlights‏ ‎that ‎cyber ‎actors‏ ‎have ‎been‏ ‎observed ‎using ‎brute ‎force‏ ‎attacks‏ ‎to ‎access‏ ‎service ‎and‏ ‎dormant ‎accounts ‎over ‎the ‎last‏ ‎12‏ ‎months. ‎This‏ ‎tactic ‎allows‏ ‎to ‎gain ‎initial ‎access ‎to‏ ‎cloud‏ ‎environments.

📌Sophistication‏ ‎of ‎cyber‏ ‎actors: ‎The‏ ‎cyber ‎actors‏ ‎can‏ ‎execute ‎global‏ ‎supply ‎chain ‎compromises, ‎such ‎as‏ ‎the ‎2020‏ ‎SolarWinds‏ ‎incident.

📌Defense ‎through ‎Cybersecurity‏ ‎Fundamentals: ‎The‏ ‎advisory ‎emphasizes ‎that ‎a‏ ‎strong‏ ‎baseline ‎of‏ ‎cybersecurity ‎fundamentals‏ ‎can ‎defend ‎against ‎cyber ‎actors.‏ ‎For‏ ‎organizations ‎that‏ ‎have ‎transitioned‏ ‎to ‎cloud ‎infrastructure, ‎protecting ‎against‏ ‎TTPs‏ ‎for‏ ‎initial ‎access‏ ‎is ‎presented‏ ‎as ‎a‏ ‎first‏ ‎line ‎of‏ ‎defense.