Cybersecurity company Mandiant has discovered that an elite group of Russian hackers, otherwise known as the APT29 group, is using a new technique to target enterprise networks. The researchers warns that the hackers are exploiting multifactor authentication (MFA) to gain unauthorized access to dormant Microsoft accounts.
MFA is a security protection used in addition to passwords. It requires users to have something in their possession, usually a verified authenticator device like a security token or authenticator app on a mobile phone. Providing something you have as well as something you know, like a password, considerably reduces the risks of account compromise.
Before a user can use MFA to log into their account, they need to enroll for the service. The APT29 group is abusing the self-enrollment process for MFA in Azure AD, which is the identity management service used by M365 and other online services, and other identity management platforms.
The hackers managed to access a list of emails and guess the passwords of the accounts using a brute force attack. Microsoft’s risky sign-in protections weren’t activated because the hackers are launching the attack from Azure virtual machines, which use a range of IP addresses assigned to Microsoft, using already compromised accounts or purchasing access to the VMs. So, it’s difficult for Microsoft’s detection systems to identify the behaviour as risky.
And because there are no additional enforcements on the MFA enrollment process configured by default, once the hackers know the account password, they are able to configure MFA and log into the account. In short, anybody who manages to get an email address and password can complete MFA enrollment from any location and any device, providing that they are the first person to do it.
While this new type of attack, where hackers use dormant accounts to get access to your organization might seem alarming, there are some things you can do to prevent it.
Microsoft recommends using MFA. And while, as Mandiant points out, it isn’t a silver bullet, MFA does considerably lower the risk of account compromise. So at the very least, you should make sure your Global Admin accounts are protected with MFA.
And despite these newly discovered attacks, you shouldn’t be put off from enabling MFA for your organization.