Security researchers have witnessed APT29 (Cozy Bear) targeting dormant Microsoft accounts in hopes of being the first available to enroll it within multi-factor authentication (MFA). Here’s what you need to know.
Typically when an organization first rolls out MFA, it allows its users to enroll their MFA device the next time they log in. APT29 gathered a list of accounts from one organization and was able to figure out the password of an account that was configured, but never used. This allowed the group to configure MFA the first time they logged in with the stolen account. Once configured and logged in, the account provided access to the organization’s VPN infrastructure and initial access. Other threat actors are also likely using these tactics.
APT29 is a threat group connected to Russia’s Foreign Intelligence Service (SVR). The group has been around since at least 2008 and focuses its efforts on uncovering confidential information stored in the networks of governmental organizations, political groups and think tanks. Most recently, the group has been targeting the U.S. and NATO countries. In addition to Cozy Bear, APT29’s associated groups include CozyDuke, The Dukes, StellarParticle, Dark Halo, IRON HEMLOCK, IRON RITUAL, YTTRIUM and UNC2452.
Nuspire regularly audits for dormant accounts while following recommended security practices.
Organizations should be mindful of dormant accounts and disable them if they have no purpose, as well as ensure they are not secured with a weak default password that can easily be guessed. Additionally, organizations can restrict the registration of MFA to only trusted locations like the internal network or specific trusted devices. Lastly, organizations can require MFA to enroll MFA. In this configuration, help desk personnel can issue a temporary access pass when an employee first joins or if they lose their MFA device, providing a limited time to log in, bypass MFA and register a new device.
In summary: