- Amazon safety experts identified a watering attack that deceived users to share Microsoft connection identification information
- The attack was stopped with the combined efforts of Amazon, Cloudflare and Microsoft
- Amazon warns against the growing sophistication of Cozy Bear
Amazon’s security experts say they have disrupted a new “water hole” campaign carried out by the group of threat actors sponsored by the Russian state known as Apt29 (Midnight Blizzard or Cozy Bear).
A watering attack is when cybercriminals inject malware into a website usually visited by a group of specific people, in the hope of compromising their devices when they access them.
In this case, Apt29 managed to compromise several websites and used them to redirect the victims to other areas controlled by the attacker.
Identification harvest campaign
We do not know which websites have been infected, nor how many of them were, but the threat actors generally fly, or simply guess, the information to connect badly protected websites, raise their privileges from the inside, then hide malware to sight.
Apt29 used sites to redirect victims to two malicious areas: FindCloudflare[.]com, and cloudflare[.]redirectparners[.]com. There, they would imitate the authentication flow of the usual device code of Microsoft, in order to connect to the Microsoft accounts of their victims.
“The Current Campaign Shows Their Continued Focus On Creddential Harvesting and Intelligence Collection, With Refinements to Their Technical Approach, and Demonstrates An Evolution in Apt29’s TRADECRAFT Through Their Ability to Compromise Legitimate Websites and Initially Injectcated Javascript, When faced with disruption and, on new infrastructure, Adjust from use of javaScript redirects to server-side redirects, ”Amazon said in his report.
Amazon also said that around 10% of visitors to compromise websites were redirected to areas controlled by the attacker. AWS systems were not compromised and there was no direct impact on AWS services and infrastructure.
To combat the threat, the company has isolated the EC2 Assigned Authorities and, with the help of Cloudflare, disturbed the domains and notified Microsoft.
The attackers then tried to move to a different domain, but it was also quickly blocked.
How to stay safe
To mitigate potential risks, users must place a credit freezing (or a fraud alert) with the three credit offices, preventing new credit accounts from opening on their behalf without approval.
They should also monitor their credit reports and use the free identity flight monitoring offer.
Finally, they should close their financial accounts closely and be very cautious with incoming emails and other communications. Since attackers now know their contact details, they could send false emails, SMS or convincing calls to be banks, government agencies or even a transunion itself.
Via Bleeping Compompute
