The threat actor behind the SolarWinds supply-chain intrusion, APT29, has been observed in recent attacks with newer tactics that target various Microsoft 365 features in order to evade detection and carry out “exceptional operational security.”
The Russian espionage group, which has been tracked by Mandiant since 2014, has previously targeted the U.S. and countries part of NATO. In attacks this year focusing on unnamed organizations that influence the foreign policy of NATO countries, APT29 was observed disabling Microsoft 365 licensing models in order to kneecap organizations’ abilities to use logging features to confirm which accounts were compromised and targeting dormant accounts that are part of the self-enrollment process for multi-factor authentication (MFA) in Microsoft Entra ID.
“APT29 continues to develop its technical tradecraft and dedication to strict operational security,” said Douglas Bienstock with Mandiant in a Thursday analysis. “Mandiant expects that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways.”
When targeting Microsoft 365’s licensing models, APT29 specifically focused on the Purview Audit logging feature (formerly known as Advanced Audit), which is available with the E5 licensing model. The Purview Audit feature allows for an audit of Mail Items Accessed, which records information each time a mail item is accessed like the user-agent string, timestamp and IP address. For organizations, this log source provides tell-tale clues about whether threat actors have accessed a particular mailbox, and if so, when.
“Mandiant has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant,” said Bienstock. “Once disabled, they begin targeting the inbox for email collection. At this point, there is no logging available to the organization to confirm which accounts the threat actor targeted for email collection and when.”
In another attack, APT29 took advantage of the process for self-enrollment for MFA in Microsoft Entra ID. When organizations first enforce MFA, users can enroll their devices when they next log in, with no further enforcements in the enrollment process needed. That means that anyone who knows the username and passwords can access the account from any location and device to enroll MFA as long as they are the first to do so, said Mandiant researchers.
APT29 first conducted a password guessing attack against a list of mailboxes (obtained through unknown means) in order to successfully guess the password of an account that had been setup via this MFA self-enrollment process, but that had not yet been used.
“Mandiant expects that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways.”
“Because the account was dormant, Microsoft Entra ID prompted APT29 to enroll in MFA,” said Bienstock. “Once enrolled, APT29 was able to use the account to access the organization’s VPN infrastructure that was using Microsoft Entra ID for authentication and MFA.”
Researchers recommended that organizations ensure all active accounts have at least one MFA device enrolled and apply any additional available verifications to the MFA enrollment process. Of note, further enforcement controls have been recently introduced by Microsoft for MFA device enrollment, such as conditional access, which means that MFA devices are restricted to only trusted locations or trusted devices. Organizations can also issue temporary access passes for employees when they first enroll their MFA device.
APT29 has also used various Microsoft 365 features for operational security and evasion tactics, including leveraging Azure Virtual Machines in its attacks and using specific tactics to disguise its malicious activities. In one incident, APT29 gained access to a global administrator account in Microsoft Entra ID, and used this access to mix benign administrative actions in with their own malicious ones. The attackers used the account to add a new certificate (Key Credential) to a service principal - an object that defines what apps can do within specific tenants, who can access the app and what resources the app can access - with a common name that matched the displayed name of the backdoored service principal in order to blend in.
“In addition to this, they also added a new Application Address URL to the service principal,” said Bienstock. “The address they added was completely benign, not needed to facilitate their malicious activities, and was related to the functionality of the application as documented by the vendor.”
APT29 was ultimately able to authenticate to Microsoft Entra ID as the service principal and use this role to collect email. This tactic shows “the extremely high level of preparation that APT29 takes and the extent to which they try to masquerade their actions as legitimate,” said researchers.
The tactics are only the most recent to be adopted by APT29, which has previously targeted organizations integral to the global IT supply chain in the SolarWinds hack. In October 2021 Microsoft detailed an attack by the threat group targeting resellers and technology service providers across the U.S. and Europe. The group has also been observed deploying a backdoor called FoggyWeb to target Microsoft Entra ID Federation Services (AD FS) servers, access and exfiltrate the server’s configuration database, and maintain persistence on machines.