U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked APT29 switched to targeting cloud services

Russia-linked APT29 threat actors have switched to targeting cloud services, according to a joint alert issued by the Five Eyes cybersecurity agencies. A joint advisory issued by cybersecurity agencies of Five Eyes (US, UK, Australia, Canada and New Zealand) warns that Russia-linked APT29 threat actors (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) have switched to targeting […]

CISA BlueHammer (CVE-2026-33825)

Russia-linked APT29 threat actors have switched to targeting cloud services, according to a joint alert issued by the Five Eyes cybersecurity agencies.

A joint advisory issued by cybersecurity agencies of Five Eyes (US, UK, Australia, Canada and New Zealand) warns that Russia-linked APT29 threat actors (aka SVR groupCozy BearNobeliumBlueBravoMidnight Blizzard, and The Dukes) have switched to targeting cloud services.

The alert warns of the changes in recent tactics, techniques, and procedures (TTPs) associated with the nation-state actor.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.” reads the joint advisory. “They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.”

To infiltrate the cloud-hosted network of the majority of victims, attackers have to authenticate themselves successfully with the cloud provider. On the other hand, in an on-premises system, a greater portion of the network is generally vulnerable to threat actors.

In previous campaigns associated with this threat actor, APT29 used brute forcing and password spraying to compromise service accounts. These accounts aren’t operated by a human and for this reason lack of multi-factor authentication (MFA). An attacker can compromise these accounts to gain privileged initial access to a network, facilitating the initiation of further operations.

The threat actors also targeted dormant accounts linked to users who no longer have active roles within a target organization.

According to the advisory, the APT29 was also observed using tokens to access victim accounts and bypassing MFA through ‘MFA bombing’ or ‘MFA fatigue’, which consists of repeatedly pushing MFA requests to a victim’s device until the victim accepts the notification.

“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant [T1098.005]. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.” continues the advisory.

Cyberspies also rely on residential proxies to avoid detection and make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source.

Five Eyes experts recommend organizations that have moved to a cloud infrastructure, to protect against SVR’s TTPs for initial access. The advisory includes a series of mitigations that can allow to neutralize the threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)