The cybercriminal gang believed to be behind the SolarWinds hack is using vulnerabilities in Microsoft products to go after US and NATO-affiliated organizations, according to threat intelligence analyst Mandiant.
APT29, also known as Cozy Bear, is said by the cybersecurity firm to be “using new tactics and aggressively targeting Microsoft 365” in attacks that “demonstrate exceptional operational security and evasion.”
Mandiant says that APT29 has spent this year focusing on “organizations responsible for influencing and crafting the foreign policy of NATO countries.”
"APT29 is using administrative features in Microsoft 365 and using them to their advantage,” it said. “They are primarily interested in gaining highly privileged access to Microsoft 365 tenants and using that access to collect mail and files from users of interest in the targeted organization."
“This has included multiple instances where APT29 revisited victims they had compromised years or months beforehand,” it added. “This persistence and aggressiveness are indicative of sustained interest in this information and strict tasking by the Russian government.”
Mandiant has been watching Cozy Bear since 2014 and believes it is backed by Russia’s foreign intelligence service, the SVR, and that the group was behind the SolarWinds hack that wreaked havoc on US government installations in 2020.
Cozy Bear has been observed disabling Microsoft’s Purview Audit function, usually regarded by cybercriminals as a formidable obstacle.
“This license is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” said Mandiant. “By gaining access and disabling this license, APT29 can essentially cover up any trace of them being in there.”
Mandiant said it had observed APT29 doing this to accounts belonging to a compromised target and then harvesting email addresses.
“Once disabled, they begin targeting the inbox for email collection,” it added. “At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when.”
Another advanced new tactic being employed by Cozy Bear is a password-guessing attack that exploits the multifactor authentication (MFA) self-enrolment program on Microsoft’s cloud computing service Azure.
“When an organization first enforces MFA, most platforms allow users to enroll their first device at the next login,” said Mandiant. “In Azure’s default configuration, there are no additional enforcements on the enrollment process. In other words, anyone with knowledge of the username and password can access the account from any location and device to enroll MFA, so long as they are the first person to do it.”
This allowed APT29 to access another target organization’s virtual private network (VPN) infrastructure after successfully guessing the password to an account that had been set up but never used.
A bear that’s hard to hunt
Cozy Bear is proving to be rather more agile than its nickname would suggest, using residential proxies to cover its tracks after infiltrating a target organization. Not only that, but Microsoft’s Azure VM virtual machines service and its slew of in-house internet protocol (IP) addresses are also being leveraged by APT29 to reduce the chances of detection.
“The virtual machines used by APT29 exist in Azure subscriptions outside of the victim organization,” said Mandiant, adding that it did not know if these were compromised or simply purchased by the threat group. “Sourcing their last-mile access from trusted Microsoft IP addresses reduces the likelihood of detection.”
This is because Microsoft’s myriad of IP addresses makes it difficult to determine if any given one belongs to a malicious actor or a legitimate support service operated by the tech giant.
“It also appears that Microsoft-owned IP addresses greatly reduce the risk of detection by Microsoft’s risky sign-in and user reports,” it added.
The cyber intelligence analyst warns that Cozy Bear will continue “to develop its technical tradecraft and dedication [...] to access Microsoft 365 in novel and stealthy ways.”
More from Cybernews:
Subscribe to our newsletter