According to the researchers, cybercriminals use inactive Microsoft accounts to bypass multi-factor authentication and gain access to cloud services and networks.
The method has been detailed by cybersecurity researchers at Mandiant, who claim that the exploit is being used in the APT29 hacking campaigns, also known as Cozy Bear, a hacking and espionage operation that is generally believed to be linked to the Russian Foreign Intelligence Service (SVR). Other offensive cyber threat groups will use the same tactics.
Multi-factor authentication is a useful tool for organizations looking to prevent account hijacking and cyberattacks on cloud services and other parts of the network. However, while extremely effective at protecting against intrusions, it is not infallible and attackers find ways to bypass it.
According to Mandiant, cybercriminals use the self-registration process to apply multi-factor authentication to Microsoft Azure Active Directory and other platforms to gain control of Microsoft 365 and other accounts.
Set up multi-factor authentication
When organizations first implement multi-factor authentication for users, many platforms allow users to enroll their multi-factor authentication device—usually a smartphone—the next time they sign in. This process is often followed because it is the most efficient way to provide as many users as possible with MFA authentication to secure their accounts.
But, as the researchers note, if there is no additional verification during the MFA registration process, anyone who knows the username and password of an account can apply multi-factor authentication to it if they are the first to do so. and hackers use this opportunity to gain access to accounts.
In the case detailed by Mandiant, attackers attributed to APT29 gained access to a list of undisclosed mailboxes they obtained through unknown means and managed to guess the password for an account that was set up but never used.
An attacker tricked by Azure Active Directory into setting up multi-factor authentication not only gained control of the account, but was able to associate multi-factor authentication with a device they own, using multi-factor authentication to grant them access to the account rather than prevent it.
From there, the attackers were able to use the account to access the victim organization’s VPN infrastructure. Researchers do not disclose the name of the victim or the purpose of this attack.
The incident shows that even with multi-factor authentication in place, cybercriminals can bypass security features to access and use inactive accounts, which may go unnoticed for some time.
User legitimacy check
To prevent this, organizations are encouraged to implement additional security measures to ensure that the user signing up for an account is legitimate.
“Organizations can restrict registration of MFA devices to only trusted locations, such as an internal network, or trusted devices. Organizations can also require registration of MFA devices,” said Douglas Binstock, Incident Response Manager at Mandiant.
“To avoid the chicken-and-egg situation this creates, help desk employees can issue temporary access passes to employees when they first join or lose their MFA device. The pass can be used for a limited time to sign in, bypass MFA, and register a new MFA device,” he adds.
Microsoft recently introduced a feature that allows organizations to enforce MFA device enrollment controls, which can help prevent cybercriminals from gaining access to accounts. ZDNET has contacted Microsoft for comment.
Since inactive accounts are the main targets of this particular campaign, it can also be useful for information security teams to know which accounts have never been used, or even remove them if they are useless. It’s also worth making sure these accounts aren’t protected by default passwords, which can be easily discovered by attackers.