Russia’s APT29 impersonates AWS to steal Windows credentials

Russia’s top advanced persistent threat group has phished thousands of targets within the military, government and businesses.

APT29 (also known as Midnight Blizzard, Nobelium, Cozy Bear) is perhaps the most infamous threat actor in the world. It is a branch of the Russian Federation’s Foreign Intelligence Service (SVR) and is best known for its historic breaches of the Solar winds and the Democratic National Committee (DNC). Lately there has been a breach Microsoft’s code base and political goals everywhere Europe, Africa, and beyond.

“APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,’” said Satnam Narang, senior research engineer at Tenable. “It has consistently targeted organizations in the United States and Europe for years, using a variety of techniques including spear phishing and vulnerability exploitation to gain initial access and escalate privileges. The modus operandi is to gather foreign intelligence and maintain persistence. into compromised organizations to conduct future operations.”

Along the same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from goals of the government, the military and the private sector in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across “a broad geography.”

That APT29 would seek sensitive references from geopolitically prominent and diverse organizations is no surprise, Narang notes, although he adds that “the only thing that goes slightly off track would be its broad targeting, versus (the typical, more ) narrowly targeted attacks.”

AWS and Microsoft

The campaign, which dates back to August, was carried out using malicious domain names designed to appear as if they came from Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services and implement a zero trust architecture.

Despite the masquerade, AWS itself reported that the attackers were not after Amazon or its customers’ AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft’s application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that both legitimate users and hackers use to control computers remotely.

“Typically, attackers try to brute force their way into your system or exploit vulnerabilities and then configure RDP. In this case, they’re basically saying, ‘We want to establish that connection (in advance),” Narang says.

Launching any of these malicious attachments would have immediately triggered an outbound RDP connection to an APT29 server. But that was not all: the files also contained a number of other malicious parameters, so that when establishing a connection, the attacker gained access to the storage, clipboard, audio devices, network resources, printers, communications (COM) of the target computer. ) ports and more, with the added ability to run custom malicious scripts.

Block RDP

APT29 may not have used legitimate AWS domains, but Amazon still managed to disrupt the campaign by seizing the group’s malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not only monitoring network logs for connections to IP addresses associated with APT29, but also analyzing all outgoing connections to all IP addresses on the wider Internet until the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. “First and foremost, make sure RDP files aren’t being received. You can block them through your email gateway. That’s going to mess the whole thing up,” he says.

AWS declined to comment further for this story. Dark Reading also reached out to Microsoft for its perspective.