Cybersecurity firm Mandiant has warned that Russian hacking group APT29, also known as Cozy Bear or Nobelium, has targeted several Microsoft 365 accounts in the US and NATO countries. The group has adopted a variety of newer tactics, techniques and procedures (TTPs) targeting Microsoft 365 environments.
Stealthy network intruders like APT29 would rather not have their movements traced and logged. To evade audits on compromised accounts, the hackers disable the Purview Audit feature on a targeted user before they even touch their mail folders.
Also, APT29 is taking advantage of the self-enrollment process for multi-factor authentication in Azure Active Directory. When users attempt to log in to a domain with self-enrollment policies for the first time, Windows will prompt them to enable MFA on the account.
Microsoft 365 has a security feature named “Purview Audit” (formerly Advanced Audit). When enabled, this feature logs user agents, IP addresses, timestamps, and usernames each time an email is accessed independently of the program (Outlook, browser, Graph API).
APT29 is one of Russia’s most skillful hacking groups. In July 2022, Palo Alto Networks analysts revealed APT29 abusing Google Drive and Dropbox cloud storage services for safer malware deployment and data exfiltration.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
