Microsoft Cloud Services Are Vulnerable To Nefarious Cozy Bear MFA Hacking Campaign
Mandiant has continued to track APT29’s behavior, which includes employing different methods to access the Microsoft 365 accounts of its targets. The cybersecurity firm has recently observed a new tactic leveraged by APT29 to bypass multi-factor authentication (MFA). This technique exploits the MFA self-enrollment process built into Microsoft’s enterprise identity service, Azure Active Directory, as well as similar platforms.
According to Mandiant, APT29 carried out an attack against an organization that involved guessing the password of an account that was created but never used. Since no one had ever logged into the account, the account wasn’t protected by MFA. Once APT29 gained access to the account, the threat actor completed the MFA self-enrollment process and used the account to connect to the organization’s VPN.
Organizations can try to prevent this form of unauthorized access by ensuring that there aren’t any dormant accounts unprotected by MFA. System Administrators can and often should implement policies to automatically deactivate accounts after a certain period of inactivity. Organizations can also require that users acquire a temporary access pass from the help desk to complete the MFA self-enrollment process.