The threat actor behind the SolarWinds supply chain intrusion, APT29, has been observed in recent attacks with new tactics that target various features of Microsoft 365 in order to evade the detection and to ensure “exceptional operational security”.
The Russian spy group, tracked by Mandiant since 2014, previously targeted the United States and NATO member countries. This year, in attacks targeting anonymous organizations that influence the foreign policy of NATO countries, APT29 was observed disabling Microsoft 365 licensing models to reduce organizations’ ability to use logging features to confirm which accounts have been compromised and target inactive accounts that are part of the self-registration process for multi-factor authentication (MFA) in Azure Active Directory.
“APT29 continues to develop its technical craft and its dedication to strict operational security,” Douglas Bienstock said with Mandiant in an analysis Thursday. “Mandiant expects APT29 to follow the development of techniques and tactics to access Microsoft 365 in new and stealthy ways.”
When targeting Microsoft 365 licensing models, APT29 specifically focused on the Purview Audit (formerly known as Advanced Audit) logging feature, which is available with the E5 licensing model. The Purview Audit feature provides auditing of mail items viewed, which logs information each time a mail item is viewed, such as user agent string, timestamp, and IP address. For organizations, this log source provides clues as to whether threat actors accessed a particular mailbox and, if so, when.
“Mandiant observed APT29 disabling Purview Audit on targeted accounts at a compromised tenant,” Bienstock said. “Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor has targeted for email collection and when.
In another attack, APT29 took advantage of the self-registration process for MFA in Azure Active Directory. When organizations apply MFA for the first time, users can enroll their devices the next time they sign in, without further application of the enrollment process. This means that anyone who knows the username and passwords can access the account from any location and device to register for MFA as long as they are the first to do so, researchers said. Beggar.
APT29 first carried out a password guessing attack against a list of mailboxes (obtained by unknown means) in order to successfully guess the password for an account that had been set up through this password guessing process. MFA self-registration, but had not yet been used.
“Mandiant expects APT29 to follow the development of techniques and tactics to access Microsoft 365 in new and stealthy ways.”
“Because the account was inactive, Azure AD prompted APT29 to register for MFA,” Bienstock said. “Once registered, APT29 was able to use the account to access the organization’s VPN infrastructure which used Azure AD for authentication and MFA.
The researchers recommended that organizations ensure that all active accounts have at least one MFA device enrolled and apply any additional checks available to the MFA enrollment process. It should be noted that other application controls have recently been introduced by Microsoft for MFA device enrollment, such as Conditional Access, which means that MFA devices are restricted to only approved locations or devices. Organizations can also issue temporary access passes to employees upon first enrollment of their MFA device.
APT29 has also used various features of Microsoft 365 for operational security and evasion tactics, including leveraging Azure Virtual Machines in its attacks and using specific tactics to conceal its malicious activities. In one incident, APT29 gained access to a global administrator account in Azure AD and used that access to mix benign administrative actions with their own malicious actions. Attackers used the account to add a new certificate (Key Credential) to a service principal – an object that defines what applications can do within specific tenants, who can access the application, and what resources the application can use. application can access – with a common name that matched the display name of the backdoor service principal in order to blend in.
“In addition to that, they’ve also added a new application address URL to the service principal,” Bienstock said. “The address they added was completely benign, was not necessary to facilitate their malicious activities, and was related to the functionality of the app as documented by the vendor.”
APT29 was finally able to authenticate to Azure AD as the service principal and use that role to collect emails. This tactic shows “APT29’s extremely high level of preparedness and the extent to which they attempt to pass off their actions as legitimate,” researchers said.
These tactics are just the latest to be adopted by APT29, which previously targeted organizations integral to the global IT supply chain in the SolarWinds hack. In October 2021, Microsoft detailed an attack by the threat group targeting resellers and technology service providers in the United States and Europe. The group has also been observed deploying a backdoor called FoggyWeb to target Active Directory Federation Services (AD FS) servers, access and exfiltrate the server’s configuration database, and maintain persistence on machines.