• Tech News
  • Fintech
  • Startup
  • Games
  • Ar & Vr
  • Reviews
  • How To
  • More
    • Mobile Tech
    • Pc & Laptop
    • Security
What's Hot

Trump Officials Slam ICEBlock as It Tops iPhone App Charts

July 4, 2025

Is Your Mac Slowing Down? Here Are 8 Tips to Speed it Up

July 4, 2025

Angry Birds Bounce, Kingdom Rush, and More

July 4, 2025
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
  • Fintech
  • Startup
  • Games
  • Ar & Vr
  • Reviews
  • How To
  • More
    • Mobile Tech
    • Pc & Laptop
    • Security
Behind The ScreenBehind The Screen
Home»Tech News»Cozy Bear targets MS 365 environments with new tactics
Tech News

Cozy Bear targets MS 365 environments with new tactics

August 19, 2022No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Cozy Bear targets MS 365 environments with new tactics
Share
Facebook Twitter LinkedIn Pinterest Email

The Russian intelligence-linked superior persistent menace (APT) group tracked variously as Cozy Bear, APT29 or Nobelium, amongst different names, has adopted quite a lot of newer techniques, strategies and procedures (TTPs) concentrating on Microsoft 365 environments, in response to new intelligence revealed by Mandiant.

Mandiant’s crew mentioned the group has been extraordinarily prolific in latest months, significantly in concentrating on organisations “chargeable for influencing and crafting the overseas coverage of Nato international locations”. They mentioned Cozy Bear’s persistence and aggressiveness was “indicative of…strict tasking by the Russian authorities”.

In line with researcher Douglas Bienstock, certainly one of Cozy Bear’s new TTPs contains disabling components of its targets’ Microsoft 365 licences with the intention to obscure their concentrating on.

Microsoft makes use of quite a lot of licensing fashions to regulate person entry to companies inside the 365 product suite. A few of these can dictate safety and compliance settings inside the Microsoft Purview Audit service.

Microsoft Purview Audit is a forensic and compliance investigation instrument that could be very troublesome for menace actors as a result of it permits the Mail Gadgets Accessed audit, which information and logs information akin to user-agent strings, timestamps, IP addresses and customers every time a mail merchandise is accessed, and is a crucial log supply for safety execs to find out whether or not a specific mailbox has been compromised.

Bienstock mentioned he had noticed Cozy Bear disabling Purview Audit on focused accounts inside a compromised tenant with the intention to goal the inbox for e-mail assortment.

“At this level, there isn’t a logging accessible to the organisation to substantiate which accounts the menace actor focused for e-mail assortment and when,” mentioned Bienstock in his write-up.

See also  Praise the sun! Dark Souls 3’s PC servers are back up

“Given APT29’s concentrating on and TTPs, Mandiant believes that e-mail assortment is the most probably exercise following disablement of Purview Audit.

“We’ve got up to date our whitepaper Remediation and hardening methods for Microsoft 365 to incorporate extra particulars on this system in addition to detection and remediation recommendation. Moreover, now we have up to date the Azure AD Investigator with a brand new module to report on customers with superior auditing disabled.”

However this isn’t the one trick up Cozy Bear’s sleeve. Bienstock mentioned his crew has additionally began to look at the group making an attempt to make the most of the self-enrolment course of for multifactor authentication (MFA) inside Azure Energetic Listing (and different platforms).

This method exploits the truth that Azure AD’s default configuration lacks strict enforcement on new MFA enrolments – which means that anyone with a sound username and password can entry an account from any location and any gadget to enrol, so long as they’re the primary particular person to take action.

In a single incident noticed by the crew, Cozy Bear brute-forced passwords towards a listing of mailboxes that they had obtained, and have been capable of efficiently crack the password to an account that had been arrange however was unused. As a result of this account was mendacity dormant, Azure AD prompted the menace actor to enrol for MFA because the professional person, and this, in flip, gave them entry to the goal organisation’s VPN infrastructure that was utilizing Azure AD for authentication and MFA.

Bienstock mentioned he beneficial organisations to make sure all energetic accounts have not less than one MFA gadget enrolled and work with their suppliers so as to add additional verification to the enrolment course of.

See also  US court rules no conflict of interest in tech firms’ mining deaths case

Microsoft does have instruments to this impact which might be accessible to Azure AD customers, and these ought to be used to implement stricter controls round who can arrange MFA, akin to requiring the person to be at a trusted location or trusted gadget, or requiring MFA to enrol in MFA, though this requires some jiggery-pokery with momentary entry credentials to keep away from a chicken-and-egg scenario.

In different areas, Cozy Bear continues to exhibit “distinctive opsec and evasion techniques”, akin to working from its personal Azure digital machines (VMs) that it has both purchased itself or compromised in some way, in order that its exercise now emanates from trusted Microsoft IP addresses and is much less prone to elevate purple flags.

The group has additionally been noticed mixing some benign admin actions amongst its malicious ones with the intention to confuse anybody who could be on its path.

In a single latest Mandiant investigation, Cozy Bear was discovered to have gained entry to a worldwide admin account in Azure AD and used it to backdoor a service principal to gather e-mail from focused mailboxes. It did this by including a brand new key credential to the service principal, however within the course of it additionally created a certificates with a typical title (CN) matching the show title of the backdoored service principal, and added a brand new utility tackle URL to it.

Bienstock mentioned there was no want for Cozy Bear to have taken these ultimate steps to facilitate its assault in any means. “This…demonstrates the extraordinarily excessive stage of preparation that APT29 takes and the extent to which they attempt to masquerade their actions as professional,” he mentioned.

See also  Researchers publicly warn that multiple HP firmware vulnerabilities remain unpatched after a year

Source link

bear Cozy environments Tactics targets
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Myrtle Beach Bar Burglar Foiled by a Stuffed Bear and an AirTag

July 28, 2023

Pegasus Spyware Discovered Attacking Military Targets

May 26, 2023

Apple’s ‘Union-Busting’ Tactics Raising Concerns Among Members of Congress

May 9, 2023

Feeling Overwhelmed? 10 Quick Tactics To Achieve A Better Mental State

February 18, 2023
Add A Comment

Comments are closed.

Editors Picks

Subnautica dev’s next game is a turn-based sci-fi affair

August 9, 2022

The ultimate guide to website accessibility for small businesses

November 4, 2022

Meet Pipe, The $2 Billion Start-Up That Created A New Asset Class To Help Growing Businesses Raise Cash

September 28, 2022

Razer Unveils Blade 18 (2025) With Dual-Mode Display And RTX 5090

February 26, 2025

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Trump Officials Slam ICEBlock as It Tops iPhone App Charts

Is Your Mac Slowing Down? Here Are 8 Tips to Speed it Up

Angry Birds Bounce, Kingdom Rush, and More

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.fr - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.