Cybersecurity company Mandiant has discovered that hackers are using a new technique to target enterprise networks. The researchers warned that threat actors exploit multifactor authentication (MFA) to gain unauthorized access to dormant Microsoft accounts.
According to cybersecurity researchers at Mandiant, the exploit is being used in hacking campaigns by APT29 to bypass authentication. APT29 is a group of elite hackers working for the Russian Foreign Intelligence Service (SVR). The cybercriminals also operate under the names Cozy Bear, the Dukes, and Nobelium.
Specifically, the APT29 group is abusing the self-enrollment process for MFA in Azure AD and other platforms. The threat actor managed to access a list of emails and guess the password of an account that was initially set up but never used by the employee. The attacker was able to use this dormant account to access the VPN infrastructure of the victim.
“When an organization first enforces MFA, most platforms allow users to enroll their first MFA device at the next login,” Mandiant explained. “In Azure AD and other platform’s default configuration, there are no additional enforcements on the MFA enrollment process. In other words, anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, so long as they are the first person to do it.”
Mandiant recommends that organizations must have security measures in place to verify a user’s identity when enrolling a new device. Microsoft recently introduced a feature that lets IT admins configure policies for MFA device enrollment. It can help to block unauthorized users from accessing dormant accounts.
Additionally, businesses can only allow users to complete the MFA enrollment process with trusted devices or enterprise networks. Security teams can also provide temporary passcodes for onboarding new employees or when the MFA device is lost.