Microsoft 365 targeted by Russian hacker group APT29

Share post

New Mandiant research into the Russian hacker group APT29 behind the 2021 SolarWinds attack shows the attackers are adopting new tactics and continue to actively target Microsoft 365.

APT29 has also been observed re-targeting previous victims - particularly those with influence or close ties to NATO countries. This shows that the cyber criminals are persistent, aggressive and with a lot of dedication to further develop their technical skills.

Focus on operational safety

APT29 continues to demonstrate exceptional operational security and evasive tactics. In addition to using proxies in homes to obfuscate their recent access to victim environments, Mandiant has observed APT29 turning to Azure Virtual Machines. The virtual machines used by APT29 exist in Azure subscriptions outside of the victim organization.

Mandiant is not aware if these subscriptions were compromised or bought by APT29. Obtaining access to the last mile from trusted Microsoft IP addresses reduces the likelihood of detection. Because Microsoft 365 itself runs on Azure, the Azure AD sign-in and unified audit logs already contain many Microsoft IP addresses, and it can be difficult to quickly determine whether an IP address is associated with a malicious VM or a M365 backend service belongs.

Insights from Mandiant's research

  • New tactics include disabling Purview Audit in Microsoft. The Purview Audit License is an important log source to determine if a cybercriminal is accessing a specific mailbox. By gaining access and disabling that license, APT29 allows the group to essentially erase any trace of their presence.
  • Another tactic is exploiting the self-registration process for multi-factor authentication (MFA) in Azure Active Directory. After APT29 successfully launched a password-guessing attack against a list of mailboxes, the hackers were able to sign up for MFA with an inactive account. After registering, APT29 was able to use the account to access the company's VPN infrastructure.

Mandiant offers the full report on its English-language blog

More at Mandiant.com

 


About Mandiant

Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.


 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

I-Soon: China's state-run foreign hackers exposed 

Internally, it is certainly the biggest betrayal of China: an employee of the I-Soon company revealed data and services ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more

New scam Deep Fake Boss

Unlike classic scams such as the email-based boss scam, the Deep Fake Boss method uses high-tech manipulation ➡ Read more