The Russia-linked espionage group APT29 has been observed abusing the Windows Credential Roaming feature in a cyberattack targeting an unnamed European diplomatic entity.
Active since at least 2008, APT29 (aka Nobelium, Cozy Bear, Iron Hemlock, The Dukes ) is believed to be working on behalf of Russia’ Foreign Intelligence Service (SVR). The group primarily targets Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors.
Their targets have also included the governments of members of the Commonwealth of Independent States, Asian, African, and Middle Eastern governments. APT29 is also deemed to be responsible for the widespread supply chain compromise through SolarWinds software in December 2020.
In 2022, APT29 has focused on organizations responsible for influencing and crafting the foreign policy of NATO countries.
Researchers at Google-owned threat intelligence and incident response firm Mandiant observed the use of Windows Credential Roaming during the short time APT29 was present in the victims’ network.
Credential Roaming is a future first introduced in Windows Server 2003 SP1 that allows certificates (and other credentials) to ‘roam’ with the user.
During the analysis of the numerous LDAP queries that the hackers had made to the Active Directory system the researchers discovered an elevation of privilege vulnerability (CVE-2022-30170) in Windows’ ‘credential roaming’ functionality. Microsoft addressed this issue in September 2022.
“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim's account would not normally hold such privilege,” Mandiant explained in a technical write-up. “If an attacker can control the msPKIAccountCredentials LDAP attribute, they may add a malicious roaming token entry where the identifier string contains directory traversal characters and thereby write an arbitrary number of bytes to any file on the file system, posing as the victim account. The only constraint is that the full file name plus directory traversal characters fits within the 92 bytes buffer.”
To reduce the risk of such attacks organizations are recommended to check whether Credential Roaming is in use in their environment, and if so, apply the September 2022 patch ASAP to remove CVE-2022-30170.