Russias APT29 Mimics AWS Domains to Steal Windows Credentials

  /     /     /  
Publicated : 23/11/2024   Category : security


Russias APT29 Mimics AWS Domains to Steal Windows Credentials


Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.



Russias premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.
APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the worlds most notorious threat actor. An arm of the Russian Federations Foreign Intelligence Service (SVR), its best known for the historic breaches of
SolarWinds
and the
Democratic National Committee (DNC)
. Lately, it has breached
Microsofts codebase
and political targets across
Europe
,
Africa, and beyond
.
APT29 embodies the persistent part of advanced persistent threat, says Satnam Narang, senior staff research engineer at Tenable. It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.
Along these same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from
government, military, and private sector targets in Ukraine
. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across a wide geography.
That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks.
The campaign, which dates back to August, was carried out using malicious domain names designed to seem like they were associated with Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services, and how to implement zero trust architecture.
Despite the masquerade, AWS itself reported that the attackers werent after Amazon, or its customers AWS credentials.
What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsofts application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.
Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, theyre basically saying: We want to establish that connection [upfront], Narang says.
Launching one of these malicious attachments would have immediately triggered an outgoing RDP connection to an APT29 server. But that wasnt all: The files also contained a number of other malicious parameters, such that when a connection was made, the attacker was given access to the target computers storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, with the added ability to run custom malicious scripts.
APT29 may not have used any legitimate AWS domains, but Amazon still managed to interrupt the campaign by seizing the groups malicious copycats.
For potential victims, CERT-UA recommends strict precautions: not just monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider Web through the end of the month.
And for organizations at risk in the future, Narang offers simpler advice. First and foremost, dont allow RDP files to be received. You can block them at your email gateway. Thats going to kneecap this whole thing, he says.
AWS declined to provide further comment for this story. Dark Reading has also reached out to Microsoft for its perspective.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russias APT29 Mimics AWS Domains to Steal Windows Credentials