Microsoft Cloud Companies Are Susceptible To Nefarious Cozy Bear MFA Hacking Marketing campaign

A brand new report by cybersecurity agency Mandiant particulars an ongoing hacking marketing campaign focusing on Microsoft 365. The risk actor behind this marketing campaign is a sophisticated persistent risk (APT) often called “Cozy Bear” or just “APT29.” APT29 is considered a Russian hacking group sponsored by the Russian International Intelligence Service (SVR). Mandiant has linked this group to the staggering SolarWinds hack of 2020, in addition to many different cyberattacks on US and NATO strategic pursuits. APT29 has additionally carried out a number of assaults on these similar targets on the behest of the Russian authorities.

Mandiant has continued to trace APT29’s conduct, which incorporates using totally different strategies to entry the Microsoft 365 accounts of its targets. The cybersecurity agency has lately noticed a brand new tactic leveraged by APT29 to bypass multi-factor authentication (MFA). This system exploits the MFA self-enrollment course of constructed into Microsoft’s enterprise id service, Azure Energetic Listing, in addition to comparable platforms.

Organizations can use platforms like Azure Energetic Listing to roll out organization-wide MFA utilizing a self-enrollment course of. As soon as a company permits MFA, its customers are prompted on the subsequent login to arrange MFA on no less than one gadget. Whereas MFA capabilities as an vital additional layer of safety, it doesn’t do any good till the set-up course of is accomplished. APT29 and different risk actors have found that they will hijack accounts earlier than customers end the MFA self-enrollment course of.

In line with Mandiant, APT29 carried out an assault towards a company that concerned guessing the password of an account that was created however by no means used. Since nobody had ever logged into the account, the account wasn’t protected by MFA. As soon as APT29 gained entry to the account, the risk actor accomplished the MFA self-enrollment course of and used the account to hook up with the group’s VPN.

Organizations can attempt to stop this type of unauthorized entry by guaranteeing that there aren’t any dormant accounts unprotected by MFA. System Directors can and sometimes ought to implement insurance policies to routinely deactivate accounts after a sure interval of inactivity. Organizations may also require that customers purchase a short lived entry move from the assistance desk to finish the MFA self-enrollment course of.