"APT29, also known as Cozy Bear and Midnght Blizzard, is probably best known for the 2020 SolarWinds hack, and has been widely linked to Russia's Foreign Intelligence Service (SVR) by the US, UK, and other governments and security researchers. And this particular bear has developed a taste for Microsoft data and user credentials over the years. In its most recent watering hole campaign, the attackers compromised legitimate websites and injected malicious JavaScript code that redirected about 10 percent of visitors to actor-controlled domains."
"Moses added that no AWS systems were compromised, nor was there any direct impact on AWS services or infrastructure. AWS also analyzed the code to find the methods APT29 used to evade detection. These included using randomization to only redirect a small percentage of visitors, employing base64 encoding to hide malicious code, setting cookies to prevent repeated redirects of the same visitor, and then pivoting to new infrastructure when blocked."
Amazon disrupted an APT29 intelligence-gathering campaign that targeted Microsoft users and attempted to obtain account access and data. APT29, also named Cozy Bear and Midnght Blizzard, compromised legitimate websites and injected malicious JavaScript that redirected roughly 10 percent of visitors to actor-controlled domains. The domains impersonated Cloudflare verification pages to trick users into entering attacker-generated device codes on Microsoft sign-in pages, thereby authorizing attacker-controlled devices. No AWS systems were compromised and there was no direct impact on AWS services or infrastructure. AWS analysis found evasion techniques including randomization of redirects, base64 encoding, cookie-based suppression of repeat redirects, and pivoting infrastructure when blocked.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]