The Russia-linked APT29 nation-state actor has been discovered leveraging a “lesser-known” Windows characteristic known as Credential Roaming as a part of its assault in opposition to an unnamed European diplomatic entity.
“The diplomatic-centric focusing on is per Russian strategic priorities in addition to historic APT29 focusing on,” Mandiant researcher Thibault Van Geluwe de Berlaere stated in a technical write-up.
APT29, a Russian espionage group additionally known as Cozy Bear, Iron Hemlock, and The Dukes, is recognized for its intrusions aimed toward accumulating intelligence that align with the nation’s strategic aims. It’s believed to be sponsored by the Foreign Intelligence Service (SVR).
Some of the adversarial collective’s cyber actions are tracked publicly underneath the moniker Nobelium, a menace cluster answerable for the widespread provide chain compromise via SolarWinds software program in December 2020.
The Google-owned menace intelligence and incident response agency stated it recognized using Credential Roaming in the course of the time APT29 was current contained in the sufferer community in early 2022, at which level “quite a few LDAP queries with atypical properties” have been carried out in opposition to the Active Directory system.
Introduced in Windows Server 2003 Service Pack 1 (SP1), Credential Roaming is a mechanism that enables customers to entry their credentials (i.e., non-public keys and certificates) in a safe method throughout totally different workstations in a Windows area.
Investigating its internal workings additional, Mandiant highlighted the invention of an arbitrary file write vulnerability that may very well be weaponized by a menace actor to realize distant code execution within the context of the logged-in sufferer.
The shortcoming, tracked as CVE-2022-30170, was addressed by Microsoft as a part of Patch Tuesday updates shipped on September 13, 2022, with the corporate emphasizing that exploitation requires a person to log in to Windows.
“An attacker who efficiently exploited the vulnerability might achieve distant interactive logon rights to a machine the place the sufferer’s account wouldn’t usually maintain such privilege,” it famous.
Mandiant stated the analysis “gives perception into why APT29 is actively querying the associated LDAP attributes in Active Directory,” urging organizations to use the September 2022 patches to safe in opposition to the flaw.