" In this episode, host John Martinez provides an update on the latest CozyBear attacks on Microsoft and shares tips for how organizations can protect themselves against these attacks. "
Hey everybody.
Welcome to today's episode of John Has Trust Issues where I talk about things related to Zero Trust and authorization in a few minutes.
Short and to the point is the point.
I'm John Martinez, I'm the technical evangelist over here at StrongDM and my trust issues stem from just being and working in the cloud and IT and security and all of those worlds for so many years.
Okay, let's get to the topic of today.
We're gonna talk about, again, something that I talked about, oh geez, way back in my first episode.
Let's rewind a little bit.
And that's the continuing attacks on Microsoft by the Russian Hacker Group called Cozy Bear, also known as a PT 29.
This definitely is a rewind of a few weeks ago.
So anyway, cozy Bear, a PT 29 continues to target Microsoft and other targets to gain stolen credentials and a whole bunch of juicy secrets from Microsoft and others, but mainly Microsoft.
And they're continuing their attacks, they're relentless.
They've been continuing and they've actually now has been, has as has been reported, gotten access to source code, and other juicy secrets within the Microsoft environment.
According to some of these reports, no customer credentials or customer secrets have been stolen.
But that, that's what we hear from the reports.
And needless to say, a lot of US-based organizations and entities are extremely upset that this is still happening and we're continuing to watch the situation.
So we'll report again if this continues.
So how did they do this? Well, let's talk a little bit about some of the tactics that are used in this attack.
And for sure, you know, good old fashioned brute force passwords attacks that's been going on.
So has authentication token hijacking, on over on machine accounts.
So service accounts has been happening as well.
And a favorite of mine is MFA bombing and FMFA fatigue, where they continuously send users these tonsand tons of MFA requests and eventually people get tired and just say, okay, okay, that that is me.
Which in case, which is absolutely not.
So anyway, what can we do to defend against something like this?
Well, a couple of things, right?
M-F-A, M-F-A, M-F-A, even though I just said that MFA fatigue is a real thing and continuously to that point is continuously.
Next thing is to continuously authorize privileged sessions.
That's a part of this.
If you know that you're gonna need to access or your users are gonna need to access a database, for example, that's got very delicate secrets or a source code repository, definitely challenge.
Uh, and, uh, do things like MFA again or do location based context, context awareness, you know, for that particular session.
Which brings me to the next point here.
And that's device trust as a contextual signal as well in addition to the other context that I was just talking about.
And you can do this with XDR managed devices for authorization purposes.
And then finally implement lease privilege everywhere for all accounts.
This includes service account, the lease privilege that you can have is no privileges at all.
And then just do privilege, escalation, privilege access, uh, to those sensitive resources.
So that, that's it. Another episode of John has Trust issues.
This episode was brought to you by StrongDM, the Dynamic Access platform for all of your sensitive and all of your privileged access across your infrastructure.
Thank you very much, and we'll see you next time.
