After the SolarWinds supply-chain penetration, hackers linked to the Russian Federation Foreign Intelligence Service (SVR) resumed their attacks on various firms’ networks using two newly found advanced threats. According to cybersecurity firm CrowdStrike, the dangerous implants are a variation of the GoldMax backdoor for Linux computers and a brand-new malware family known as TrailBlazer.
Both threats were employed in StellarParticle campaigns since at least mid-2019 but were discovered only two years later, amid incident response investigations. The APT29 hacker gang has been blamed for the StellarParticle attacks. This hacking group, also known as CozyBear, Yttrium, and The Dukes, has been initiating cyber-espionage activities for over 12 years.
CrowdStrike published a report detailing the newest tactics, methods, and procedures (TTPs) used by the Cozy Bear state-sponsored hackers. The initial step of the attack was credential hopping, which allowed the threat actor to log into Office 365 from an internal server that the hackers gained access to via a hacked public-facing system.
According to CrowdStrike, this strategy is challenging to detect in situations with little insight into identity usage because hackers might exploit multiple domain administrator accounts. Stealing browser cookies have been used to circumvent MFA and get access to cloud resources since before 2020. CrowdStrike explains that APT29 stayed quiet after decrypting the authentication cookies, most likely offline, and replaying them with the Cookie Editor extension for Chrome; they then uninstalled the extension.
“This extension permitted bypassing MFA requirements, as the cookies, replayed through the Cookie Editor extension, allowed the threat actor to hijack the already MFA-approved session of a targeted user” – CrowdStrike
This allowed them to travel laterally on the network and go to the next attack step, which involved connecting to the victim’s O365 tenant. The CrowdStrike’s report details the measures APT29 used to gain persistence in a position to access any email and SharePoint or OneDrive files of the infiltrated business.
APT29 hackers took advantage of every chance after acquiring access to a target organization’s infrastructure and establishing persistence to gather intelligence that would allow them to continue the attack. Drawing information from the victim’s internal knowledge repositories, or wikis, was a common technique. These documents may include sensitive information about the company’s numerous services and products.
“This information included items such as product/service architecture and design documents, vulnerabilities and step-by-step instructions to perform various tasks. Additionally, the threat actor viewed pages related to internal business operations such as development schedules and points of contact. In some instances these points of contact were subsequently targeted for further data collection” – CrowdStrike
According to CrowdStrike’s deep dive into APT29’s StellarParticle campaigns, the threat actor connected to the victim’s O365 tenant via Windows Azure Active Directory PowerShell Module, and executed enumeration queries for roles, members, users, domains, accounts, or a service principal’s credentials.
The researchers discovered that the threat actor also used the AddServicePrincipalCredentials command while examining the log entries. Researchers say that the attacker had introduced a new secret to the program and set its validity for more than ten years. Hackers had access to all business mail and SharePoint/OneDrive data, as well as the ability to “create new accounts and assign administrator privileges to any account in the organization” with the permission level gained in this manner.