五眼联盟揭露APT29的新云攻击策略

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

五眼国家的网络安全和情报机构发布了一份联合通告，详细介绍了俄罗斯政府支持的威胁行动者APT29的演变战术。

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.

这个黑客组织也被称为BlueBravo、Cloaked Ursa、Cozy Bear、午夜暴风雪（原名Nobelium）和公爵，被认为与俄罗斯联邦外情局（SVR）有关。

Previously attributed to the supply chain compromise of SolarWinds software, the cyber espionage group attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives.

此前被归因于SolarWinds软件的供应链妥协，这个网络间谍组织最近几个月以来一直在针对微软、惠普企业（HPE）和其他组织，旨在推进他们的战略目标，引起了关注。

"As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment," according to the security bulletin.

根据安全公告，"随着组织继续现代化其系统并转向基于云的基础架构，SVR已经适应了操作环境的这些变化。"

These include -

这些包括 -

• Obtaining access to cloud infrastructure via service and dormant accounts by means of brute-force and password spraying attacks, pivoting away from exploiting software vulnerabilities in on-premise networks

  通过使用暴力破解和密码喷射攻击手段，通过服务和休眠账户获得对云基础设施的访问权限，从而转向利用本地网络中的软件漏洞

• Using tokens to access victims' accounts without the need for a password

  利用令牌访问受害者的账户，无需密码

• Leveraging password spraying and credential reuse techniques to seize control of personal accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their own device to gain access to the network

  利用密码喷洒和凭证重用技术来夺取对个人账户的控制权，使用提示轰炸来绕过多因素身份验证（MFA）要求，然后注册自己的设备以获取对网络的访问权限

• Making it harder to distinguish malicious connections from typical users by utilizing residential proxies to make the malicious traffic appear as if it's originating from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and conceal their true origins

  通过使用住宅代理使恶意流量看起来像是来自于用于住宅宽带客户的互联网服务提供商（ISP）范围内的IP地址，从而使恶意连接难以与典型用户区分开，并隐藏其真实来源。

"For organizations that have moved to cloud infrastructure, the first line of defense against an actor such as SVR should be to protect against SVR' TTPs for initial access," the agencies said. "Once the SVR gains initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb."

"对于已经转向云基础架构的组织，对抗诸如SVR这样的行动者的第一道防线应该是保护免受SVR的初始访问TTPs。一旦SVR获得初始访问权限，该行动者就有能力部署高度复杂的后期妥协能力，如MagicWeb。"

原文始发于微信公众号（知机安全）：五眼联盟揭露APT29的新云攻击策略