Security News > 2022 > August > Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.
Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
Microsoft 365 users on a higher-grade E5 license enjoy a security feature named "Purview Audit".
The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA. Activating MFA fulfills the relevant security prerequisite for using the compromised organization's VPN infrastructure, so APT29 is free to roam on the breached network.
Azure VMs "Contaminate" logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.
APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.
News URL
Related news
- A Hacker's Era: Why Microsoft 365 Protection Reigns Supreme (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Iranian hackers charged for ‘hack-and-leak’ plot to influence election (source)
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
- U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown (source)
- US Government, Microsoft Aim to Disrupt Russian threat actor ‘Star Blizzard’ (source)
- Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday (source)
- New Mamba 2FA bypass service targets Microsoft 365 accounts (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)