Microsoft Cloud Services Are Vulnerable To Nefarious Cozy Bear MFA Hacking Campaign
A new report by cybersecurity firm Mandiant details an ongoing hacking campaign targeting Microsoft 365. The threat actor behind this campaign is an advanced persistent threat (APT) known as “Cozy Bear” or simply “APT29.” APT29 is thought to be a Russian hacking group sponsored by the Russian Foreign Intelligence Service (SVR). Mandiant has linked this group to the staggering SolarWinds hack of 2020, as well as many other cyberattacks on US and NATO strategic interests. APT29 has also carried out multiple attacks on these same targets at the behest of the Russian government.
Mandiant has continued to track APT29’s behavior, which includes employing different methods to access the Microsoft 365 accounts of its targets. The cybersecurity firm has recently observed a new tactic leveraged by APT29 to bypass multi-factor authentication (MFA). This technique exploits the MFA self-enrollment process built into Microsoft’s enterprise identity service, Azure Active Directory, as well as similar platforms.
Mandiant has continued to track APT29’s behavior, which includes employing different methods to access the Microsoft 365 accounts of its targets. The cybersecurity firm has recently observed a new tactic leveraged by APT29 to bypass multi-factor authentication (MFA). This technique exploits the MFA self-enrollment process built into Microsoft’s enterprise identity service, Azure Active Directory, as well as similar platforms.
Organizations can use platforms like Azure Active Directory to roll out organization-wide MFA using a self-enrollment process. Once an organization enables MFA, its users are prompted on the next login to set up MFA on at least one device. While MFA functions as an important extra layer of security, it doesn’t do any good until the set-up process is completed. APT29 and other threat actors have discovered that they can hijack accounts before users finish the MFA self-enrollment process.
According to Mandiant, APT29 carried out an attack against an organization that involved guessing the password of an account that was created but never used. Since no one had ever logged into the account, the account wasn’t protected by MFA. Once APT29 gained access to the account, the threat actor completed the MFA self-enrollment process and used the account to connect to the organization’s VPN.
Organizations can try to prevent this form of unauthorized access by ensuring that there aren’t any dormant accounts unprotected by MFA. System Administrators can and often should implement policies to automatically deactivate accounts after a certain period of inactivity. Organizations can also require that users acquire a temporary access pass from the help desk to complete the MFA self-enrollment process.
According to Mandiant, APT29 carried out an attack against an organization that involved guessing the password of an account that was created but never used. Since no one had ever logged into the account, the account wasn’t protected by MFA. Once APT29 gained access to the account, the threat actor completed the MFA self-enrollment process and used the account to connect to the organization’s VPN.
Organizations can try to prevent this form of unauthorized access by ensuring that there aren’t any dormant accounts unprotected by MFA. System Administrators can and often should implement policies to automatically deactivate accounts after a certain period of inactivity. Organizations can also require that users acquire a temporary access pass from the help desk to complete the MFA self-enrollment process.
