Updated on 2022-12-01: APT 29’s Slack abuse
Table of Contents
Chinese security firm QiAnXin has a report out detailing a recent APT29 campaign targeting Italy, where the Russian hacking group has deployed versions of the EnvyScout malware. QiAnXin notes that the attacks used collaboration platform Slack as a C&C channel and payload delivery system. Previously, APT29 used enterprise apps Dropbox and Trello in a similar fashion. Read more: 被滥用的Slack服务:APT29针对意大利的攻击活动分析
Updated on 2022-11-10
Researchers found that the Russia-linked APT29 cyberespionage gang abused Credential Roaming, a Windows feature, to phish a European diplomatic entity earlier this year. Read more: They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
Updated on 2022-11-09: APT29
Mandiant has a technical report out on how the Russian state-sponsored group APT29 has abused a feature called Windows Credential Roaming in a recent attack against a European diplomatic entity. Read more:
- They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
- Certs On Wheels: Understanding Credential Roaming
Overview: Mandiant: Russian Hackers are Targeting Microsoft 365 Accounts
In a blog post, Mandiant highlights some tactics, techniques, and procedures (TTPs) the APT29 espionage group is using to target Microsoft 365 accounts. The hackers, who have ties to Russia’s government, have been observed disabling licenses, taking over dormant accounts, and focusing on operational security.
Note
- Not just Russian hackers, but pretty much anybody in the cybercrime game is going after Microsoft 365 accounts. Just like for any cloud-based service, 2FA is a must and accounts as well as account configurations need to be carefully audited, even if you are not in the cross hairs of nation state attackers.
- They are disabling logging, such as Purview Audit (formerly Advanced Audit) which is required to enable the Mail Items Accessed audit which is a very effective tool for determining specific accesses to Mail items. Make sure that you’ve enabled MFA for _ALL_ accounts, including dormant/disabled accounts. Make sure the MFA self-enrollment process leverages features such as conditional access to ensure an adversary who guesses credentials isn’t able to self-enroll before the legitimate user can. When considering MS 365 security, don’t underestimate the skills of possible attackers.
Read more in
- You Can’t Audit Me: APT29 Continues Targeting Microsoft 365
- Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
- Hackers are using this sneaky exploit to bypass Microsoft’s multi-factor authentication
- Russia’s APT29 targeting Microsoft 365 Users
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
