Cozy Bear targets MS 365 environments with new tactics

The Russian intelligence-linked advanced persistent threat (APT) group tracked variously as Cozy Bear, APT29 or Nobelium, among other names, has adopted a variety of newer tactics, techniques and procedures (TTPs) targeting Microsoft 365 environments, according to new intelligence published by Mandiant.

Mandiant’s team said the group has been extremely prolific in recent months, particularly in targeting organisations “responsible for influencing and crafting the foreign policy of Nato countries”. They said Cozy Bear’s persistence and aggressiveness was “indicative of…strict tasking by the Russian government”.

According to researcher Douglas Bienstock, one of Cozy Bear’s new TTPs includes disabling elements of its targets’ Microsoft 365 licences in order to obscure their targeting.

Microsoft uses a variety of licensing models to control user access to services within the 365 product suite. Some of these can dictate security and compliance settings within the Microsoft Purview Audit service.

Microsoft Purview Audit is a forensic and compliance investigation tool that is very troublesome for threat actors because it enables the Mail Items Accessed audit, which records and logs data such as user-agent strings, timestamps, IP addresses and users each time a mail item is accessed, and is a critical log source for security pros to determine whether a particular mailbox has been compromised.

Bienstock said he had observed Cozy Bear disabling Purview Audit on targeted accounts within a compromised tenant in order to target the inbox for email collection.

“At this point, there is no logging available to the organisation to confirm which accounts the threat actor targeted for email collection and when,” said Bienstock in his write-up.

“Given APT29’s targeting and TTPs, Mandiant believes that email collection is the most likely activity following disablement of Purview Audit.

“We have updated our whitepaper Remediation and hardening strategies for Microsoft 365 to include more details on this technique as well as detection and remediation advice. Additionally, we have updated the Azure AD Investigator with a new module to report on users with advanced auditing disabled.”

But this is not the only trick up Cozy Bear’s sleeve. Bienstock said his team has also started to observe the group trying to take advantage of the self-enrolment process for multifactor authentication (MFA) within Azure Active Directory (and other platforms).

This technique exploits the fact that Azure AD’s default configuration lacks strict enforcement on new MFA enrolments – meaning that anybody with a valid username and password can access an account from any location and any device to enrol, as long as they are the first person to do so.

In one incident observed by the team, Cozy Bear brute-forced passwords against a list of mailboxes they had obtained, and were able to successfully crack the password to an account that had been set up but was unused. Because this account was lying dormant, Azure AD prompted the threat actor to enrol for MFA as the legitimate user, and this, in turn, gave them access to the target organisation’s VPN infrastructure that was using Azure AD for authentication and MFA.

Bienstock said he recommended organisations to ensure all active accounts have at least one MFA device enrolled and work with their suppliers to add further verification to the enrolment process.

Microsoft does have tools to this effect that are available to Azure AD users, and these should be used to enforce stricter controls around who can set up MFA, such as requiring the user to be at a trusted location or trusted device, or requiring MFA to enrol in MFA, although this requires some jiggery-pokery with temporary access credentials to avoid a chicken-and-egg situation.

In other areas, Cozy Bear continues to exhibit “exceptional opsec and evasion tactics”, such as operating from its own Azure virtual machines (VMs) that it has either bought itself or compromised somehow, so that its activity now emanates from trusted Microsoft IP addresses and is less likely to raise red flags.

The group has also been observed mixing some benign admin actions among its malicious ones in order to confuse anyone who might be on its trail.

In one recent Mandiant investigation, Cozy Bear was found to have gained access to a global admin account in Azure AD and used it to backdoor a service principal to collect email from targeted mailboxes. It did this by adding a new key credential to the service principal, but in the process it also created a certificate with a common name (CN) matching the display name of the backdoored service principal, and added a new application address URL to it.

Bienstock said there was no need for Cozy Bear to have taken those final steps to facilitate its attack in any way. “This…demonstrates the extremely high level of preparation that APT29 takes and the extent to which they try to masquerade their actions as legitimate,” he said.