AWS Takes Down Russian APT29 Domains


 

AWS Seizes Domains Used by Russian Threat Group APT29 in Credential-Stealing Campaign

Amazon Web Services (AWS) has disrupted a phishing operation by seizing several domains used by APT29, a Russian state-linked threat group, in a campaign aimed at stealing credentials from what AWS described as "Russian adversaries." The malicious effort by APT29—also known as Midnight Blizzard, Cozy Bear, and Nobelium—targeted government agencies, enterprises, and military organizations with phishing emails written in Ukrainian, marking a broader reach than typical APT29 operations.


APT29’s Phishing Strategy

According to AWS CISO and Vice President of Security Engineering, CJ Moses, the seized domains were designed to mimic AWS domains and deceive victims. However, the actual targets were not AWS itself or its customer credentials. Instead, APT29 sought to capture Windows credentials via Microsoft’s Remote Desktop Protocol (RDP), potentially allowing direct access to victims’ systems.

AWS’s action to seize these domains was prompted by a report from Ukraine’s Computer Emergency Response Team (CERT-UA). CERT-UA’s advisory, released earlier this week, warned of a mass phishing email distribution targeting government, enterprise, and military sectors. The phishing emails contained subject lines discussing integration issues between AWS and Microsoft services, as well as zero-trust architectures, with attachments of configuration files for RDP. Executing these files would create an RDP connection between the victim’s device and the attackers’ servers, allowing the threat actors access to the targeted systems.

Gaining Access and Control Over Victim Devices

Once the victim clicked on the attachment, APT29’s servers gained broad access to the victim’s system, including files, network resources, printers, and other local resources. CERT-UA’s report detailed that this access could enable the attackers to run third-party programs or scripts on the compromised devices. The infrastructure for this campaign, CERT-UA noted, had been under preparation since August.

AWS’s Swift Action to Disrupt APT29

In his blog post, Moses wrote that AWS responded immediately by initiating the seizure of domains impersonating AWS to prevent further operation. By swiftly removing the domains from APT29’s control, AWS effectively disrupted the campaign’s communications channels, limiting the reach of the phishing scheme.

APT29’s Extensive and Evolving Tactics

APT29 is known for its connection to Russia’s Foreign Intelligence Service (SVR) and has consistently targeted foreign governments, NGOs, and IT service providers, particularly in the United States and Europe. The group has used various initial access tactics, from stolen credentials and supply chain attacks to exploiting trust chains in service providers. Microsoft, which tracks APT29 as “Midnight Blizzard,” has noted the group’s persistent focus on espionage operations to gather intelligence on foreign adversaries. APT29’s tactics also include using custom malware like FOGGYWEB and MAGICWEB to establish footholds within compromised environments.

Notable Past Incidents

APT29 has been linked to numerous high-profile cyber incidents over the past decade, including the breach of the Democratic National Committee in 2016 and the SolarWinds supply chain attack in 2020. The group’s activities continue to raise concerns worldwide, including a recent phishing campaign against political parties in Germany and watering hole campaigns identified by Google’s Threat Analysis Group in August. Notably, these campaigns used exploits similar to those of spyware firms NSO Group and Intellexa.

Microsoft’s Continued Efforts in Cybersecurity

APT29's presence was detected within Microsoft’s systems in early 2024, following a series of high-profile breaches, which led Microsoft to launch the Secure Future Initiative (SFI). The company has since made strides in security measures, including removing unused applications and establishing a Cybersecurity Governance Council.


Source:darkreading

No comments:

Kernel Rootkit Installs through Windows Driver Signature Loopholes: A Security Breakdown

  Windows Kernel Downgrade Attacks: Bypassing Security on Fully Patched Systems to Deploy Rootkits A newly discovered method to downgrade Wi...