APT29 from Russia impersonates AWS to steal Windows credentials

Russia’s first advanced persistent threat group has attacked thousands of targets in militaries, public authorities and businesses.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is probably the most well-known threat actor in the world. An arm of the Foreign Intelligence Service (SVR) of the Russian Federation, it is best known for its historic violations of SolarWinds and the Democratic National Committee (DNC). Lately, it has been breached Microsoft’s code base and political targets everywhere Europe, Africa and beyond.

“APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” says Satnam Narang, senior research engineer at Tenable. “It has persistently targeted organizations in the United States and Europe for years, using various techniques, including spear-phishing and exploiting vulnerabilities to gain initial access and escalate privileges. Its modus operandi is to collect extraneous information as well as maintain persistence. in compromised organizations to conduct future operations.”

In the same vein, Ukraine’s Computer Emergency Response Team (CERT-UA) recently discovered Windows APT29 phishing credentials from government, military and private sector targets in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was in fact spread over “a wide geography.”

That APT29 would go after sensitive credentials from prominent and geopolitically diverse organizations isn’t a surprise, Narang notes, though he adds that “the only thing going off track would be its broad targeting, against (usually, more much) concentrated. attacks.”

AWS and Microsoft

The campaign, which dates back to August, was carried out using malicious domain names designed to appear to be from Amazon Web Services (AWS). Emails sent from these domains claimed to advise recipients on how to integrate AWS with Microsoft services and how to implement zero-trust architecture.

Despite the masquerade, AWS itself reported that the attackers were not targeting Amazon or its customers’ AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft’s application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.

“Normally, attackers will try to brute force your system or exploit vulnerabilities, then they set up RDP. In that case, they’re basically saying, ‘We want to establish that connection (in advance),’” says Narang.

Launching one of these malicious attachments would have immediately triggered an outbound RDP connection to an APT29 server. But that was not all: the files also contained a number of other malicious parameters, so that when a connection was made, the attacker was granted access to the target computer’s storage, clipboard, audio devices, network resources, printers, communications ( COM ) and more, with the added ability to run custom malicious scripts.

Block RDP

APT29 may not have used any legitimate AWS domains, but Amazon was still able to disrupt the campaign by seizing the group’s malicious knockoffs.

For potential victims, CERT-UA recommends strict precautions: not only monitoring network logs for connections to APT29-related IP addresses, but also scanning all outgoing connections to all IP addresses on the wide Internet by the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. “First, don’t allow receiving RDP files. You can block them from your email gateway. That will put the whole thing together,” he says.

AWS declined to provide further comment for this story. Dark Reading also reached out to Microsoft for its perspective.