Russian hacker group Cozy Bear, aka APT29, has added several new TTPs to continue its attacks against Microsoft Office 365 users. The attackers have primarily focused on updating their evasion techniques to maintain persistence in victims’ systems.

Here’s a look at the new TTPs as found by Mandiant

Disabling licenses

  • The APT29 actors have found a way to disable Purview Audit, formerly known as Advanced Audit, that is available with E5 licenses and certain add-ons of Microsoft Office 365. 
  • Purview Audit is a critical feature as it enables the Mail Items Accessed audit that records the user-agent string, timestamp, and IP address of each user. 
  • Once the feature is disabled on targeted accounts, the attackers can look for sensitive items in the email inbox.

Bypassing MFA over dormant accounts

  • In one instance, the researchers found that the attackers had conducted a password guessing attack against a list of accounts that were dormant.
  • Because the accounts were dormant, Azure Active Directory (AD) prompted APT29 to enroll in MFA. 
  • Once enrolled, APT29 was able to use the account to access the organization’s VPN infrastructure that was using Azure AD for authentication and MFA.

Relying on Azure virtual machines

  • In addition to using residential proxies, APT29 has also turned to Azure Virtual Machines to obfuscate its malicious activities.
  • The virtual machines used by the threat actor exist in Azure subscriptions outside of the victim organization. 
  • Furthermore, the threat actors are also using compromised administrator accounts in Azure AD to deliver a backdoor onto targeted systems. The backdoor could collect emails from targeted mailboxes in the tenant.
 

Noteworthy point

The Russia-based threat group has become adept at quickly incorporating new tactics into its kit. Last month, the APT29, also known as Nobelium or Cozy Bear, evolved to use legitimate cloud storage services such as Dropbox and Google Drive to target its victims. This enabled it to stay under the radar while infecting systems.

What does this indicate?

Researchers explain that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 accounts in novel and stealthy ways. Additionally, the attackers are in the progress to develop their technical tradecraft to expand operations. Therefore, organizations must take necessary mitigation measures to defend themselves against incoming cyber threats.
Cyware Publisher

Publisher

Cyware