microsoft, russian apt29 hackers abuse azure services to hack microsoft 365 users

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.

Microsoft 365 is a cloud-based productivity suite predominately used by business and enterprise entities, facilitating collaboration, communication, data storage, email, office, and more.

Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.

The researchers warn that the Russian group continues to demonstrate exceptional operational security to prevent analysts from discovering and exposing their attack methods.

In a report published today, Mandiant highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).

Focusing on Microsoft 365

Microsoft 365 users on a higher-grade E5 license enjoy a security feature named “Purview Audit” (formerly Advanced Audit). When enabled, this feature logs user agents, IP addresses, timestamps, and usernames each time an email is accessed independently of the program (Outlook, browser, Graph API).

Stealthy network intruders like APT29 would rather not have their movements traced and logged. So to evade audits on compromised accounts, the hackers disable the Purview Audit feature on a targeted user before they even touch their mail folders.

“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” warns Mandiant in an APT 29 whitepaper.

“It is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API.”

Mandiant’s second interesting finding is APT29 taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).

When users attempt to log in to a domain with self-enrollment policies for the first time, Windows will prompt them to enable MFA on the account.

microsoft, russian apt29 hackers abuse azure services to hack microsoft 365 users

Prompting a Windows domain user to enroll in MFA Source: Microsoft

The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA.

Activating MFA fulfills the relevant security prerequisite for using the compromised organization’s VPN infrastructure, so APT29 is free to roam on the breached network.

Finally, Mandiant observed the threat group using Azure Virtual Machines via compromised accounts or by purchasing the service to hide their trace.

Azure VMs “contaminate” logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.

APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.

Russia’s spearhead

APT29 is one of Russia’s most skillful hacking groups, and Mandiant’s recent findings underscore its high level of preparation and deep knowledge of the functions of targeted software.

In January 2022, CrowdStrike discovered that APT29 bypassed MFA steps in O365 accounts for years, using stolen browser cookies to hijack valid sessions.

In May 2022, Mandiant uncovered a wave of phishing campaigns orchestrated by the particular threat group, targeting governments, embassies, and high-ranking officials across Europe.

In July 2022, Palo Alto Networks analysts revealed APT29 abusing Google Drive and Dropbox cloud storage services for safer malware deployment and data exfiltration.

Keyword: Russian APT29 hackers abuse Azure services to hack Microsoft 365 users

TECH'S NEWS RELATED

Rotten Tomatoes scores are in for Netflix’s shocking new movie Blonde

Blonde Rotten Tomatoes Viewer reactions I can’t say I didn’t see this one coming. Today (Wednesday, September 28) is the launch day on Netflix for the streamer’s highly anticipated Marilyn Monroe not-quite-biopic, and the shocked reactions it’s eliciting from reviewers are starting to pour in. As a matter of ...

View more: Rotten Tomatoes scores are in for Netflix’s shocking new movie Blonde

Feeding behavior traits may be an indicator of feed efficiency in Holstein cows

New research on Holstein cows published in the Journal of Dairy Science finds that measures of feeding behavior could be useful indicators of dairy cow feed efficiency, and individual cows that eat at a slower rate may be more feed efficient. Credit: Ken Olson, PhD, PAS Genetic selection is ...

View more: Feeding behavior traits may be an indicator of feed efficiency in Holstein cows

Have an Old Echo Dot? Eero Wants to Turn It Into a Mesh Wi-Fi Extender for Free

Amazon's fourth-gen Echo and Echo Dot speakers will soon be able to act as mesh extenders for Eero's Wi-Fi routers.

View more: Have an Old Echo Dot? Eero Wants to Turn It Into a Mesh Wi-Fi Extender for Free

Can a focus on politicians make the EU seem more human?

Katjana Gatterman, 2022, “The Personalization of Politics in the European Union,” Oxford University Press. Credit: Oxford University Press Individual politicians and their messages increasingly matter for our interest and trust in politics. Think only of the political figures in your country and how they influence your opinion. But little ...

View more: Can a focus on politicians make the EU seem more human?

Exploring a new algorithm for reconstructing particles

Schematic representation of the right-handed Cartesian coordinate system adopted to describe the detector. Credit: The European Physical Journal C (2022). https://link.springer.com/article/10.1140/epjc/s10052-022-10665-7 A team of researchers from CERN, Massachusetts Institute of Technology, and Staffordshire University have implemented a new algorithm for reconstructing particles at the Large Hadron Collider. The Large ...

View more: Exploring a new algorithm for reconstructing particles

Can gold mining be more sustainable?

Left—an isolated ASGM site in the Amazon (image by Sue Palminteri/Mongabay). Right—an aerial photo depicting the considerable extent of ASGM operations in the Peruvian Amazon (image by Rhett A. Butler/Mongabay). Credit: Land Degradation & Development (2022). DOI: 10.1002/ldr.4430 In a review paper recently published in the journal Land Degradation ...

View more: Can gold mining be more sustainable?

Newly discovered protein could be used to produce life-saving antifungals

Yeast with a red fluorescent protein marking the vacuole—the nutrient storage compartment of the cell—and a green fluorescent protein marking aggregates of TORC1 that form in cells missing Ait1. Credit: Andrew Capaldi and team Like bacteria, yeasts are found everywhere, even in and around our bodies. And, as with ...

View more: Newly discovered protein could be used to produce life-saving antifungals

Spotify app is automatically getting installed on Windows 10 & Windows 11

According to many users on social media platforms and individual reports received by us, Spotify – the popular streaming app – was automatically installed on Windows 10 and Windows 11 computers without warning. We don’t know if this was an intentional decision by Microsoft or a bug, but the ...

View more: Spotify app is automatically getting installed on Windows 10 & Windows 11

Strictly Limited Games announces Snow Battle Princess Sayuki physical edition

You Can Now Find Songs on Deezer Just by Humming

Tonga is home to 170 islands. A new one just formed from an underwater volcanic eruption

Potential first traces of the universe's earliest stars

When dangerous toxins teach fundamental biology

Every new device Amazon announced at its fall 2022 event

Scaling Ethereum? Arbitrum Co-Founder Says Projects Should Consider 3 'Critical' Points

Holiday Deals 2022: Here's Where to Get the Best Tech and Gaming Gifts from Sony, Nintendo, and More

Ubisoft’s biggest 2022 game delayed for sixth time in five years

Upgrade your home office with 74% off this refurbished MacBook Air deal

Auth0 warns that some source code repos may have been stolen

Dogs can smell when we're stressed, study suggests

OTHER TECH NEWS

;