On March 8, Microsoft announced that hackers employed by Russia’s Foreign Intelligence Service (SVR), codenamed Midnight Blizzard, Nobelium, and APT29, recently gained access to some of its internal systems and source code repositories.
The hackers used authentication secrets, such as tokens, API keys, and credentials, they previously stole from Microsoft in January 2024 after a successful password spraying attack on a legacy account without multi-factor authentication (MFA) enabled.
The targeted account had access to an OAuth application with elevated access to Microsoft’s corporate environment, allowing APT29 to obtain data from corporate mailboxes belonging to members of Microsoft’s leadership team, and cybersecurity and legal departments. Microsoft suspects that these mailboxes were targeted so APT29 could learn what information Microsoft had on them and their activities.
While Microsoft has confirmed that APT29 has been able to access some of its source code repositories and internal systems, it has not yet found evidence to suggest that Microsoft-hosted customer-facing systems have been compromised.
However, APT29 was able to obtain authentication secrets shared between Microsoft and some of its customers that were contained on the breached email server. Microsoft has contacted affected customers and provided mitigation guidance.
Source: Bleeping Computer
Analysis
The specific targeting of cybersecurity and legal departments indicates that APT29 considers Microsoft an adversary, especially given the company’s ability to investigate and counter APT29’s tactics, techniques, and procedures (TTPs).
Understanding Microsoft’s capabilities and intentions regarding its activities helps APT29 develop methods to overcome the security controls Microsoft embeds into its products to prevent its attacks.
Furthermore, APT29 is a sophisticated threat actor capable of analyzing stolen source code to identify zero-day vulnerabilities that can be leveraged in future attacks.
The widespread use of Microsoft products means any zero-day vulnerability discovered could lead to thousands of potential exploitation opportunities. This is ideal for APT29, a group that has proven to be capable of simultaneously compromising thousands of targets via supply chain attacks.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for changes in the tactics, techniques, and procedures (TTPs) associated with state-sponsored cyber actors such as APT29. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users have been automatically notified via the Covalence Portal if suspicious and/or unauthorized cloud login attempts, like those mentioned above, are detected.
The most effective way to mitigate the risk posed by APT29’s latest threat activity is to prevent the group from getting initial access in the first place. Organizations should:
- Enforce multi-factor authentication (MFA) and complex password requirements.
- Monitor for and/or block login attempts from countries from which employees aren’t expected to log in, as well as from TOR, VPN, and high-risk IP addresses.
- Reduce the lifetime of session tokens so that if stolen, they are of limited use to the threat actor.
- Delete dormant or inactive user accounts.
- Allow only authorized devices to enrol in the cloud environment.
Related articles
