The Russian Cozy Bear APT group (APT29) has improved its tricks, techniques, and procedures (TTPs) to continue its onslaught against Microsoft Office 365 users. This state-sponsored threat group has focused on upgrading its attacks’ evasion capabilities to maintain persistence in its targeted systems.
The APT29 operators have discovered a method to deactivate the Purview Audit that is available with E5 licenses and add-ons of Office 365. Purview Audit is an essential part of a system as it allows the Mail Items Access audit that records every user’s timestamp, IP address, and user-agent string.
If the feature is deactivated on the targeted accounts, the threat actors can search for critical or sensitive loots in the email’s inbox.
Its operators also added elusive strategies to the Cozy Bear APT.
Another feature of the Cozy Bear APT group is bypassing MFA functionality over inactive accounts. In one scenario, the researchers noticed that the threat actors had executed a password guessing campaign against a list of bills that did not have any activity for an extended period.
Hence, the Azure Active Directory allowed APT29 to enrol in MFA. After the enrollment, APT29 could utilise the account to access the organisation’s VPN infrastructure running on Azure AD for MFA authentication.
In addition, residential proxies allowed the APT29 group to utilise the Azure Virtual Machine and hide its hostile activities. The virtual devices used by Cozy Bear APT exist in Azure subscriptions outside the victim organisation.
Furthermore, the threat group also uses a compromised administrator account in Azure to deploy a backdoor onto infected systems. The backdoor could harvest emails from mailboxes.
The Russian-speaking threat group has evolved into adept threat actors that can incorporate new strategies into their tools. The group also became an entity that uses legitimate cloud storage services to target its victims. This attack allowed it to remain undetected while infecting different systems.
Researchers emphasised that Cozy Bear APT would remain steady with improving its TTPs to access MS 365 accounts in sophisticated and elusive methods. They are also on their way to designing their technical tradecraft to expand their operations and attack scope. Therefore, organisations, especially MS Office users, should take the necessary steps to defend themselves against incoming threats from APT29.
