Home Security APT29 Exploited a Home windows Function to Compromise European Diplomatic Entity Community

APT29 Exploited a Home windows Function to Compromise European Diplomatic Entity Community

by crpt os


The Russia-linked APT29 nation-state actor has been found leveraging a “lesser-known” Windows feature called Credential Roaming as part of its attack against an unnamed European diplomatic entity.

“The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting,” Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up.

APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is known for its intrusions aimed at collecting intelligence that align with the country’s strategic objectives. It’s believed to be sponsored by the Foreign Intelligence Service (SVR).

Some of the adversarial collective’s cyber activities are tracked publicly under the moniker Nobelium, a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020.

The Google-owned threat intelligence and incident response firm said it identified the use of Credential Roaming during the time APT29 was present inside the victim network in early 2022, at which point “numerous LDAP queries with atypical properties” were performed against the Active Directory system.

Hacking European Diplomatic

Introduced in Windows Server 2003 Service Pack 1 (SP1), Credential Roaming is a mechanism that allows users to access their credentials (i.e., private keys and certificates) in a secure manner across different workstations in a Windows domain.

Investigating its inner workings further, Mandiant highlighted the discovery of an arbitrary file write vulnerability that could be weaponized by a threat actor to achieve remote code execution in the context of the logged-in victim.

CyberSecurity

The shortcoming, tracked as CVE-2022-30170, was addressed by Microsoft as part of Patch Tuesday updates shipped on September 13, 2022, with the company emphasizing that exploitation requires a user to log in to Windows.

“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim’s account would not normally hold such privilege,” it noted.

Mandiant said the research “offers insight into why APT29 is actively querying the related LDAP attributes in Active Directory,” urging organizations to apply the September 2022 patches to secure against the flaw.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex