Security News > 2022 > November > APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network

APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network
2022-11-09 13:47

The Russia-linked APT29 nation-state actor has been found leveraging a "Lesser-known" Windows feature called Credential Roaming as part of its attack against an unnamed European diplomatic entity.

"The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up.

APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is known for its intrusions aimed at collecting intelligence that align with the country's strategic objectives.

The Google-owned threat intelligence and incident response firm said it identified the use of Credential Roaming during the time APT29 was present inside the victim network in early 2022, at which point "Numerous LDAP queries with atypical properties" were performed against the Active Directory system.

Introduced in Windows Server 2003 Service Pack 1, Credential Roaming is a mechanism that allows users to access their credentials in a secure manner across different workstations in a Windows domain.

Mandiant said the research "Offers insight into why APT29 is actively querying the related LDAP attributes in Active Directory," urging organizations to apply the September 2022 patches to secure against the flaw.


News URL

https://thehackernews.com/2022/11/apt29-exploited-windows-feature-to.html