Researchers at the cybersecurity firm Mandiant have discovered that the state-backed Russian hacking group APT29, also known as Cozy Bear or Nobelium, is actively targeting Microsoft 365 accounts in the U.S. and NATO-affiliated organizations in espionage campaigns to steal sensitive data.
Mandiant which has been tracking APT29 since at least 2014 pointed out that the Russian espionage group is “using new tactics and aggressively targeting Microsoft 365 in attacks that demonstrate exceptional operational security and evasion”.
The company highlighted some of APT29’s new advanced TTPs (tactics, techniques, and procedures) in a report published on Thursday.
For a threat actor, one of the most troublesome logging security features is Purview Audit, a higher-grade security feature in Microsoft 365 suite. This feature, available with E5 licenses and certain add-ons, enables the Mail Items Accessed audit. Mail Items Accessed records the user-agent string, timestamp, IP address, and user each time a mail item is accessed independently of the program (Outlook, browser, Graph API).
Mandiant observed that APT29 was able to disable Purview Audit on targeted accounts in a compromised tenant in order to target the inbox for email collection.
“Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when. Given APT29’s targeting and TTPs Mandiant believes that email collection is the most likely activity following disablement of Purview Audit,” reads the report published by Mandiant.
“We have updated our whitepaper Remediation and hardening strategies for Microsoft 365 to include more details on this technique as well as detection and remediation advice. Additionally, we have updated the Azure AD Investigator with a new module to report on users with advanced auditing disabled.”
The researchers also discovered another advanced new tactic being employed by APT29, which takes advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).
This method abuses the absence of strict enforcement on new MFA enrolments in Azure AD’s default configuration, which means anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, as long as they are the first person to do so.
“In one instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been setup, but never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA. Once enrolled, APT29 was able to use the account to access the organization’s’ VPN infrastructure that was using Azure AD for authentication and MFA,” continues the report.
Lastly, Mandiant has observed APT29 using Azure Virtual Machines (VMs). The virtual machines used by APT29 exist in Azure subscriptions outside of the victim organization. It is unclear if the threat actor group has compromised or purchased these subscriptions.
The group has also been observed mixing benign administrative actions with their malicious ones to confuse anyone who might be on its trajectory.
“For example, in a recent investigation APT29 gained access to a global administrator account in Azure AD. They used the account to backdoor a service principal with ApplicationImpersonation rights and start collecting email from targeted mailboxes in the tenant,” added the report.
Once added, APT29 was able to authenticate to Azure AD as the Service Principal and use its roles to collect email. To blend in, APT29 created the certificate with a Common Name (CN) that matched the display name of the backdoored service principal and added a new Application Address URL to it.
“APT29 continues to develop its technical tradecraft and dedication to strict operational security. Mandiant expects that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways,” the report concludes.