The Russian intelligence-linked superior persistent menace (APT) group tracked variously as Cozy Bear, APT29 or Nobelium, amongst different names, has adopted quite a lot of newer techniques, strategies and procedures (TTPs) concentrating on Microsoft 365 environments, in response to new intelligence revealed by Mandiant.
Mandiant’s crew mentioned the group has been extraordinarily prolific in latest months, significantly in concentrating on organisations “chargeable for influencing and crafting the overseas coverage of Nato international locations”. They mentioned Cozy Bear’s persistence and aggressiveness was “indicative of…strict tasking by the Russian authorities”.
In line with researcher Douglas Bienstock, certainly one of Cozy Bear’s new TTPs contains disabling components of its targets’ Microsoft 365 licences with the intention to obscure their concentrating on.
Microsoft makes use of quite a lot of licensing fashions to regulate person entry to companies inside the 365 product suite. A few of these can dictate safety and compliance settings inside the Microsoft Purview Audit service.
Microsoft Purview Audit is a forensic and compliance investigation instrument that could be very troublesome for menace actors as a result of it permits the Mail Gadgets Accessed audit, which information and logs information akin to user-agent strings, timestamps, IP addresses and customers every time a mail merchandise is accessed, and is a crucial log supply for safety execs to find out whether or not a specific mailbox has been compromised.
Bienstock mentioned he had noticed Cozy Bear disabling Purview Audit on focused accounts inside a compromised tenant with the intention to goal the inbox for e-mail assortment.
“At this level, there isn’t a logging accessible to the organisation to substantiate which accounts the menace actor focused for e-mail assortment and when,” mentioned Bienstock in his write-up.
“Given APT29’s concentrating on and TTPs, Mandiant believes that e-mail assortment is the most probably exercise following disablement of Purview Audit.
“We’ve got up to date our whitepaper Remediation and hardening methods for Microsoft 365 to incorporate extra particulars on this system in addition to detection and remediation recommendation. Moreover, now we have up to date the Azure AD Investigator with a brand new module to report on customers with superior auditing disabled.”
However this isn’t the one trick up Cozy Bear’s sleeve. Bienstock mentioned his crew has additionally began to look at the group making an attempt to make the most of the self-enrolment course of for multifactor authentication (MFA) inside Azure Energetic Listing (and different platforms).
This method exploits the truth that Azure AD’s default configuration lacks strict enforcement on new MFA enrolments – which means that anyone with a sound username and password can entry an account from any location and any gadget to enrol, so long as they’re the primary particular person to take action.
In a single incident noticed by the crew, Cozy Bear brute-forced passwords towards a listing of mailboxes that they had obtained, and have been capable of efficiently crack the password to an account that had been arrange however was unused. As a result of this account was mendacity dormant, Azure AD prompted the menace actor to enrol for MFA because the professional person, and this, in flip, gave them entry to the goal organisation’s VPN infrastructure that was utilizing Azure AD for authentication and MFA.
Bienstock mentioned he beneficial organisations to make sure all energetic accounts have not less than one MFA gadget enrolled and work with their suppliers so as to add additional verification to the enrolment course of.
Microsoft does have instruments to this impact which might be accessible to Azure AD customers, and these ought to be used to implement stricter controls round who can arrange MFA, akin to requiring the person to be at a trusted location or trusted gadget, or requiring MFA to enrol in MFA, though this requires some jiggery-pokery with momentary entry credentials to keep away from a chicken-and-egg scenario.
In different areas, Cozy Bear continues to exhibit “distinctive opsec and evasion techniques”, akin to working from its personal Azure digital machines (VMs) that it has both purchased itself or compromised in some way, in order that its exercise now emanates from trusted Microsoft IP addresses and is much less prone to elevate purple flags.
The group has additionally been noticed mixing some benign admin actions amongst its malicious ones with the intention to confuse anybody who could be on its path.
In a single latest Mandiant investigation, Cozy Bear was discovered to have gained entry to a worldwide admin account in Azure AD and used it to backdoor a service principal to gather e-mail from focused mailboxes. It did this by including a brand new key credential to the service principal, however within the course of it additionally created a certificates with a typical title (CN) matching the show title of the backdoored service principal, and added a brand new utility tackle URL to it.
Bienstock mentioned there was no want for Cozy Bear to have taken these ultimate steps to facilitate its assault in any means. “This…demonstrates the extraordinarily excessive stage of preparation that APT29 takes and the extent to which they attempt to masquerade their actions as professional,” he mentioned.