Researchers at Mandiant found a new campaign from Cozy Bear – a Russian state-backed hacking group also known as APT29 – targeting Enterprise Microsoft 365 accounts for stealing data.
The threat actor is seen exploiting the MFA of Microsoft’s Azure Directory, disabling Purview Audit security, and contaminating the logs to hide its activities from analysts. Researchers have released the tactics, techniques, and procedures of this latest campaign to determine and contain them.
Hacking Legit Microsoft Services
Amongst the many state-backed hacking groups we see now, Russia’s APT29 (also called Cozy Bear or Nobelium) is some of the prominent threat actors. They have been constantly attacking the officials in NATO countries to steal sensitive data.
They majorly target their Office 365 accounts, which carry sensitive communications. Now, Mandiant researchers have found that the APT29 gang is exploiting Azure services to get into their target’s Microsoft 365 accounts and conceal their tracks.
For instance, Microsoft 365 is a cloud-based productivity suite running on Azure Cloud and aimed at businesses. And anyone self-enrolling into the Azure Directory for the first time will be asked to register MFA alongside.
And since such accounts satisfy the security prerequisite of Azure, the suite allows users to access the organization’s VPN infrastructure with less objection. And this is what exactly APT29 wanted, to roam freely in the compromised network.
They’ve seen brute-forcing the credentials of accounts that never logged into a domain and enrolled their devices freshly to MFA. With this access, the threat actor proceeds to go in and disable Purview Audit – a higher-grade security feature in Microsoft 365 suite that logs in user agents, IP addresses, timestamps, and usernames each time they access an email.
Disabling this will not raise any flags while accessing the victim’s mailboxes. And lastly, they will use the Azure virtual machines to “contaminate” logs with Microsoft IP addresses – which are genuine and hard to be differentiated from malicious traffic from threat actors.
They further obfuscate the Azure AD admin activity by mixing their malicious actions with Application Address URLs, making it harder for Defender services or analysts to flag the activities.