"compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow,"
"This opportunistic approach illustrates APT29's continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,"
Amazon flagged and disrupted an opportunistic watering hole campaign orchestrated by Russia-linked APT29. The campaign used compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. APT29 injected JavaScript into legitimate sites, redirecting approximately 10% of visitors to actor-controlled domains. The group, tied to Russia's SVR and known by multiple aliases, recently leveraged malicious RDP configuration files against Ukrainian entities and has adopted device code and device join phishing to obtain unauthorized Microsoft 365 access. The activity reflects ongoing credential harvesting and evolving tradecraft.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]