Amazon Foils APT29 Credential Theft Operation

Cybersecurity researchers have busted a sophisticated new credential theft campaign by APT29, a long familiar threat group that the US government has formally tied to Russia’s foreign intelligence service (SVR).

The operation involved the threat actor compromising legitimate websites to inject malicious code that redirected visitors to fake security verification pages designed to exploit Microsoft’s device authentication system and gain access to user accounts.

Watering Hole Attack

Amazon’s threat intelligence service disclosed details of the opportunistic watering hole campaign last week after detecting and successfully disrupting the threat actor’s attack infrastructure — which incidentally included at least a few Amazon Elastic Compute Cloud (EC2) instances.

“Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, our team continued tracking and disrupting their operations,” wrote Amazon chief information security officer (CISO) CJ Moses.

APT29, also tracked as Midnight Blizzard, Nobelium, and Cozy Bear, has been targeting government and military organizations, NGOs, tech firms, and think tanks in the US and Europe since at least 2008. Notable operations include the 2020 SolarWinds supply chain attack, which resulted in some 18,000 organizations receiving a poisoned software update; a 2021 attack on Microsoft’s corporate systems that wasn’t discovered until January 2022; and a near identical 2021 attack on HPE’s cloud-hosted email infrastructure.

Related:Zscaler, Palo Alto Networks Breached via Salesloft Drift

APT29 has relied heavily on tactics such as spear-phishing, password spraying, and credential harvesting to gain initial access to a target network. Once inside, the threat actor has shown an ability to remain persistent for long periods using living-off-the-land tactics, legitimate security tools, and software utilities. In many campaigns, APT29 has exploited trusted platforms and cloud services — including AWS domains — to blend in with legitimate traffic and avoid detection.

The tactics that the threat actor used in the operation that Amazon recently disrupted demonstrated a continued evolution of its attack methods. First, it compromised several legitimate websites and injected JavaScript in them that redirected unwary visitors to domains that mimicked legitimate Cloudflare verification pages of the type a user might occasionally encounter when browsing websites. The pages are designed to block bots and distributed denial-of-service (DDoS) traffic and may sometimes require the user to click a checkbox affirming they are not a bot.

Related:Jaguar Land Rover Shuts Down in Scramble to Secure ‘Cyber Incident’

Device Code Authentication Attack

To minimize the odds of detection, APT29 used a randomizer to ensure that only 10% of visitors who arrived at a watering hole website were redirected to the attacker-controlled domains. The attackers also set cookies to ensure that the same user did not get directed to the malicious domains over and over again. In addition, the adversary used base64 encoding to obfuscate the malicious code on the watering hole sites.

Users who arrived on the fake Cloudflare pages were directed to enter their email address to verify they were human. Those who followed through were then walked through a process where they essentially ended up authorizing the attackers’ device or system to access the victim’s Microsoft account.

Such device code authentication attacks are not new, but even so they are relatively rare. Volexity earlier this year reported observing at least three Russia-based threat actors — one of which was APT29 — using the approach to gain initial access to target environments. As the vendor noted in its report, device code authentication attacks are “definitely lesser known and not commonly leveraged by nation-state actors.” But when used, “this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”

Related:Hackers Are Sophisticated & Impatient — That Can Be Good

To mitigate the threat, Amazon’s Moses recommended that IT administrators review Microsoft’s security guidance on device authentication flows and consider disabling it if they don’t require the feature. “Enforce conditional access policies that restrict authentication based on device compliance, location, and risk factors,” Moses wrote. Organizations, he added, can also benefit from logging and monitoring authentication requests especially those involving new devices.