Recently, around 18,000 public and private organizations around the world were attacked by Russian hackers that go by the name Cozy Bear. The group allegedly used a supply chain attack to infect the network management tools they were using.
According to researchers at the security firm Volexity, the hackers have devised a clever way to bypass multi-factor-authentication systems protecting the networks they targeted. The researchers noticed that Cozy Bear hackers, after having gained administrator privileges on the infected network, use the rights to steal the Duo Security ‘akey’ from their server running on the Outlook Web App. They then use akey to generate a cookie, which helps to steal the required username and passwords.
Volexity says that they encountered the same attackers in late 2019 and early 2020 as they hacked a think tank organization three times. The security firm believed that the attackers were able to remain undetected for several years in the think tank’s system.
In recent reports, both Washington Post and New York Times have cited people from the government people saying the group behind the hacks was known both as APT29 and Cozy Bear, an advanced persistent threat group believed to be part of the Russian Federal Security Service (FSB).
In this case, the MFA provider was Duo Security. However, Volexity researchers believe that all Duo competitors are equally vulnerable and have the same back doors.
In a statement, Duo said,
The described incidents were not due to any vulnerability in Duo’s products. Rather, the post details an attacker that achieved privileged access to integration credentials, that are integral for the management of the Duo service, from within an existing compromised customer environment, such as an email server. In order to reduce the likelihood of such an event, it is critical to protect integration secrets from exposure within an organization and to rotate secrets if compromise is suspected.