Alert Advisory: Insight into APT29

Background:

Beginning in 2015, APT29 allegedly penetrated the Democratic National Committee. The SolarWinds supply chain compromises cyber operation was ascribed to the SVR by the US and UK governments in April 2021; public remarks included references to APT29, Cozy Bear, and The Dukes.

APT29 has concentrated its attention in 2022 on institutions in charge of influencing and forming the foreign policy of NATO nations. This included numerous occasions when APT29 returned to victims who had been compromised years, or perhaps only months, before. This tenacity and aggressiveness are a sign of the Russian Government’s continued interest in this information and its stringent tasking. Mandiant, a security firm has noted that APT29 continues to target Microsoft 365 with superior operational security and cutting-edge methods.

TTPs used by APT29:

• Take the token-signing certificate for Active Directory Federation Services (AD FS) and use it to create fake tokens for any users (sometimes described as Golden SAML). As a result, the attacker would be able to log in as any user to a federated resource provider (like Microsoft 365) without needing that user’s password or the associated multi-factor authentication (MFA) system.
• Access high-privileged directory roles, such as Global Administrator or Application Administrator, that are assigned to on-premises user accounts synchronized to Microsoft 365.
• Modify or add trusted domains in Azure AD to add a new attacker-controlled federated identity provider (IdP). This has been termed an Azure AD backdoor and would enable the attacker to manufacture tokens for any user.
• Use the legitimate permissions provided to the program, such as the ability to read email, send email as an arbitrary user, access user calendars, etc., while avoiding MFA by hijacking an existing Microsoft 365 application by adding a rogue credential to it.
• Change the permissions of folders in a victim’s mailbox (such as the inbox) so that any other user in the victim’s Microsoft 365 environment can view the contents of those folders.
• Target and compromise Cloud Service Providers (CSPs) who are authorized to manage customer tenants for the enterprises that APT29 is targeting, then take advantage of the access granted to the CSP to carry out post-compromise operations against the target company.
• To disable security monitoring capabilities, disable the Purview Audit license for Microsoft 365 Advanced Auditing on the selected accounts.

Abusing M365:

Different licensing models are used by Microsoft 365 to regulate each user’s access to the services offered by the Microsoft 365 family of products. Security and compliance options, such as log retention and Mail Items Accessed logging in Purview Audit, can also be determined by licensing. The most popular licenses are E1, E3, and E5, although licensing in M365 is complicated because there are many different license options and granular add-ons.

Purview Audit on targeted accounts in a compromised tenant has been disabled by APT29, according to Mandiant. Once disabled, they start collecting emails from the inbox. The organization is currently unable to determine which accounts the threat actor targeted for email collection and when due to a lack of available logging. Following the disablement of Purview Audit, Mandiant believes that email collection is the most likely activity given the targeting and TTPs of APT29.

Threat actors, such as APT29, are starting to take advantage of the MFA self-enrollment process in Azure Active Directory and other platforms, according to a new trend that Mandiant has started to see. Most platforms let users enroll their first MFA device at the subsequent login when MFA is implemented for the first time by an organization. Organizations frequently choose this method for implementing MFA. The MFA enrollment process is not further enforced in the default configuration of Azure AD or other platforms. In other words, as long as they are the first person to enroll MFA, anyone who knows the login and password can access the account from any place and on any device.

Detection:

• To confirm that all authentications came through AD FS, compare entries in the Azure AD Sign-Ins log against the security event logs of the on-premises AD FS servers.
• Identify log events that are generated by these activities, set rules to alert them, and check the events’ validity.
• Keep an eye out for attempts by a user to access a network or computer resource, frequently by providing credentials that could be used to search hacked systems for and get insecurely stored credentials.
• Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
• Monitor for changes to Azure Activity Logs for Service Principal and Application modifications.

Mitigation:

• Ensure Azure AD and Azure Identity Protection is configured with MFA, conditional access policies, risk-based and contextual-based authentication, access only from managed devices, and risky-login verification.
• Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
• Apply the least-privilege principle. Do not permit a domain user to have multiple systems’ local administrator group memberships.
• Rotate the token-signing AD FS certificate quickly twice to invalidate any tokens created with the prior certificate in order to mitigate the effects of a previously faked SAML token.
• Limit access and permissions to the AD FS server to workstations with privileged access only.
• To reduce the value of usernames and passwords to adversaries, it is advised as a best practice to utilize multi-factor authentication for webmail servers that are accessible to the general public.