Cozy Bear targets MS 365 environments with new tactics

The Russian intelligence-linked superior persistent risk (APT) group tracked variously as Cozy Bear, APT29 or Nobelium, amongst different names, has adopted a wide range of newer tactics, methods and procedures (TTPs) focusing on Microsoft 365 environments, in line with new intelligence published by Mandiant.

Mandiant’s staff stated the group has been extraordinarily prolific in current months, notably in focusing on organisations “responsible for influencing and crafting the foreign policy of Nato countries”. They stated Cozy Bear’s persistence and aggressiveness was “indicative of…strict tasking by the Russian government”.

According to researcher Douglas Bienstock, one in every of Cozy Bear’s new TTPs contains disabling parts of its targets’ Microsoft 365 licences so as to obscure their focusing on.

Microsoft makes use of a wide range of licensing fashions to regulate consumer entry to companies throughout the 365 product suite. Some of those can dictate safety and compliance settings throughout the Microsoft Purview Audit service.

Microsoft Purview Audit is a forensic and compliance investigation software that may be very troublesome for risk actors as a result of it permits the Mail Items Accessed audit, which data and logs knowledge reminiscent of user-agent strings, timestamps, IP addresses and customers every time a mail merchandise is accessed, and is a important log supply for safety execs to find out whether or not a specific mailbox has been compromised.

Bienstock stated he had noticed Cozy Bear disabling Purview Audit on focused accounts inside a compromised tenant so as to goal the inbox for electronic mail assortment.

“At this point, there is no logging available to the organisation to confirm which accounts the threat actor targeted for email collection and when,” stated Bienstock in his write-up.

“Given APT29’s focusing on and TTPs, Mandiant believes that electronic mail assortment is the probably exercise following disablement of Purview Audit.

“We have updated our whitepaper Remediation and hardening strategies for Microsoft 365 to include more details on this technique as well as detection and remediation advice. Additionally, we have updated the Azure AD Investigator with a new module to report on users with advanced auditing disabled.”

But this isn’t the one trick up Cozy Bear’s sleeve. Bienstock stated his staff has additionally began to look at the group making an attempt to make the most of the self-enrolment course of for multifactor authentication (MFA) inside Azure Active Directory (and different platforms).

This approach exploits the truth that Azure AD’s default configuration lacks strict enforcement on new MFA enrolments – that means that anyone with a legitimate username and password can entry an account from any location and any system to enrol, so long as they’re the primary individual to take action.

In one incident noticed by the staff, Cozy Bear brute-forced passwords towards an inventory of mailboxes that they had obtained, and have been in a position to efficiently crack the password to an account that had been arrange however was unused. Because this account was mendacity dormant, Azure AD prompted the risk actor to enrol for MFA because the reliable consumer, and this, in flip, gave them entry to the goal organisation’s VPN infrastructure that was utilizing Azure AD for authentication and MFA.

Bienstock stated he advisable organisations to make sure all energetic accounts have a minimum of one MFA system enrolled and work with their suppliers so as to add additional verification to the enrolment course of.

Microsoft does have instruments to this impact which might be accessible to Azure AD customers, and these needs to be used to implement stricter controls round who can arrange MFA, reminiscent of requiring the consumer to be at a trusted location or trusted system, or requiring MFA to enrol in MFA, though this requires some jiggery-pokery with non permanent entry credentials to keep away from a chicken-and-egg state of affairs.

In different areas, Cozy Bear continues to exhibit “exceptional opsec and evasion tactics”, reminiscent of working from its personal Azure digital machines (VMs) that it has both purchased itself or compromised someway, in order that its exercise now emanates from trusted Microsoft IP addresses and is much less prone to elevate crimson flags.

The group has additionally been noticed mixing some benign admin actions amongst its malicious ones so as to confuse anybody who is likely to be on its path.

In one current Mandiant investigation, Cozy Bear was discovered to have gained entry to a worldwide admin account in Azure AD and used it to backdoor a service principal to gather electronic mail from focused mailboxes. It did this by including a new key credential to the service principal, however within the course of it additionally created a certificates with a standard identify (CN) matching the show identify of the backdoored service principal, and added a new utility deal with URL to it.

Bienstock stated there was no want for Cozy Bear to have taken these ultimate steps to facilitate its assault in any manner. “This…demonstrates the extremely high level of preparation that APT29 takes and the extent to which they try to masquerade their actions as legitimate,” he stated.