Credential harvesting: The researchers also observed credential replay attacks against victims’ other online services using stolen domain credentials following network edge device compromises. This indicates that the attackers are likely harvesting credentials by leveraging the traffic capturing and analysis capabilities of the compromised devices.”Time gap between device compromise and authentication attempts against victim services suggests passive collection rather than active credential theft,” the researchers found.Network traffic interception is consistent with Sandworm’s known tradecraft and the targeting of network edge devices specifically positions the attackers to intercept credentials in transit.
How critical infrastructure providers can defend against this threat: The group has a strong focus on the energy sector, with victims including electric utility companies, energy providers and even MSSPs with energy sector clients. However, it has also targeted technology and service cloud providers, as well as telecommunications companies across multiple regions.The Amazon Threat Intelligence team advises organizations to audit their network edge devices for packet capture files or utilities that shouldn’t be present, to review their device configurations and isolate management interfaces, and implement multi-factor authentication.Companies should also review authentication logs and monitor authentication attempts from unexpected geographic locations. Anomaly detection for authentication patterns should be implemented for all online services and the use of plain text protocols that could expose credentials in transit should be audited.The Amazon report includes indicators of compromise associated with this attack campaign as well as security recommendations specific to AWS environments.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4107406/russian-apt-group-pivots-to-network-edge-device-misconfigurations.html
