Russian APT29 impersonates AWS to steal Windows credentials

Russia’s main advanced persistent threat group phished thousands of targets in the military, government agencies, and businesses.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is probably the most famous threat in the world. A unit of the Foreign Intelligence Service of the Russian Federation (SVR), best known for historical violations SolarWinds and Democratic National Committee (DNC). Lately it has been broken Microsoft code base and political goals Europe, Africa and beyond.

“APT29 embodies the ‘persistent’ part of ‘persistent advanced threat,'” says Satnam Narang, senior research engineer at Tenable. “Over the years, it has persistently targeted organizations in the United States and Europe using various methods, including phishing and exploiting vulnerabilities to gain primary access and privilege escalation. His modus operandi is gathering foreign intelligence and maintaining persistence. in compromised organizations for future operations.”

Similarly, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from public, military and private sectors in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread over a “broad geography.”

Narang notes that it’s not surprising that APT29 would go after sensitive data from geopolitically prominent and diverse organizations, though he adds that “the one thing that’s a bit off-putting is its broad targeting rather than the (typically more) narrow focus. attacks”.

AWS and Microsoft

The campaign, which began in August, was carried out using malicious domain names created to appear as if they originated from Amazon Web Services (AWS). Emails sent from these domains allegedly advised recipients on how to integrate AWS with Microsoft services and how to implement a zero-trust architecture.

Despite the masquerade, AWS itself said the attackers weren’t after Amazon or its customers’ AWS credentials.

What APT29 really wanted was found in the attachments of those emails: configuration files for Remote Desktop, Microsoft’s application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool used by both legitimate users and hackers to remotely control computers.

“Usually attackers try to brute force your system or exploit vulnerabilities and then configure RDP. In this case, they’re effectively saying, ‘We want to establish this connection (early)’,” Narang says.

Running one of these malicious attachments would immediately launch an outgoing RDP connection to the APT29 server. But that’s not all: the files also contained a number of other malicious parameters, for example, when a connection was established, the attacker gained access to the target computer’s memory, clipboard, audio devices, network resources, printers, communication (COM ) ports etc. with the added ability to run your own malicious scripts.

Block RDP

APT29 may not have used any legitimate AWS domains, but Amazon still managed to disrupt the campaign by capturing the group’s malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not only monitor network logs for connections to IP addresses tied to APT29, but also analyze all outgoing connections to all IP addresses on the Internet by the end of the month.

And for organizations facing future risk, Narang offers simpler advice. “First of all, don’t allow receiving RDP files. You can block them in your electronic gateway. It’s going to blow this whole thing,” he says.

AWS declined to comment further for this story. Dark Reading also reached out to Microsoft for their perspective.