Russia's APT29 targeting Microsoft 365 UsersGroup Also Known as 'Cozy Bear' Circumvents Multifactor Authentication
Anti-hacking measures from Microsoft meant to stymie advanced persistent threats are being met with new techniques by one of the most persistent of such threat groups, reports Mandiant.
The threat intelligence firm says it's witnessing Russian intelligence-linked APT29 engage in new tactics targeting Microsoft 365, the ubiquitous suite of productivity and cloud storage apps.
APT29 also known as Cozy Bear, is known for targeting industries including healthcare, pharmaceutical, academia, energy, financial, government, media and technology, as well as think tanks. The U.S. intelligence community links APT29 with Russia's Foreign Intelligence Service. The group was behind the SolarWinds Orion attack in 2020.
Multifactor Authentication Hack
Among the new techniques the hacking group is using to circumvent Microsoft security is the takeover of dormant Azure accounts, exploiting a weakness in Azure Active Directory multifactor authentication enrollment.
Most organizations that enforce multifactor authentication leave it to users to self-enroll at their next login, says Mandiant.
That means anyone in possession of credentials for dormant accounts can set up a valid second factor authentication method. Mandiant say APT29 used stolen credentials enrolled into second factor authentication to access an unnamed organization's VPN infrastructure. Hackers were able to penetrate the virtual environment since the organization used Azure Active Directory for VPN authentication.
Microsoft has a number of measures to mitigate this attack. It is rolling out number matching, a feature that requires users to respond to a push notification from a multifactor authentication app by manually keying in a number displayed on the sign-in screen.
System administrators can also require multifactor authentication to set up multifactor authentication, starting the enrollment chain with a Temporary Access Pass. They can also activate Conditional Access to limit the registration of multifactor authentication devices to trusted networks or devices.
Hackers don't like leaving records of their activity. One premium Microsoft 365 feature is Purview Audit, which gives visibility into data points such as user-agent string, timestamp, IP address, and user each time a mail item is accessed.
Mandiant says it's seen APT29 simply turning the feature off. Doing so itself creates log entries registering changes to user settings and to the user license. But the "Update user" log event doesn't record what aspect of the license changed, while the "Change User License" records potentially duplicative events for a single operation, Mandiant says. The firm recommends system administrators run a custom script that detects users licensed for Purview Audit that do not have advanced auditing enabled.
Attacking from Azure
What better way to hide an attack on data hosted on Microsoft's Azure cloud than have the attacks originate from Azure? Whether APT29 is actually paying Microsoft for the Azure access or taking over accounts, the hacking group uses Azure virtual machines to hide its attacks by obfuscating their origin. It can be difficult to look at a ream of log data in order to determine if an IP address belong to a malicious Azure virtual machine or just another Microsoft 265 service.
"Mandiant expects that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways," Mandiant says.