A notorious Russia-based cyber espionage group known as APT29 has reportedly exploited a less common Windows feature called Credential Roaming following a successful phishing operation targeting an unmentioned European diplomatic organization. The strategic focus on diplomatic targets aligns with APT29’s historical modus operandi, demonstrating their commitment to gathering intelligence that supports Russian state interests.
Mandiant researcher Thibault Van Geluwe de Berlaere emphasized these insights in a technical analysis, pointing out that APT29—also recognized as Cozy Bear, Iron Hemlock, and The Dukes—is suspected to operate under the auspices of Russia’s Foreign Intelligence Service (SVR). This group has made headlines for its advanced persistent threats (APTs) and its role in the intrusions that have fueled geopolitical tensions.
APT29 is often tracked under the name Nobelium, linked to the significant SolarWinds supply chain attack in December 2020. Mandiant’s investigation revealed the use of Credential Roaming during APT29’s infiltration of the victim’s network in early 2022, where unusual Lightweight Directory Access Protocol (LDAP) queries were executed against the Active Directory system.
Credential Roaming, which was introduced in Windows Server 2003 Service Pack 1, allows users to securely transfer their credentials—such as private keys and certificates—across various workstations within a Windows domain. Mandiant clarified that this feature involves the storage of user credentials in specific LDAP attributes, which APT29 queried, most notably the ms-PKI-Credential-Roaming-Tokens attribute that facilitates the storage of encrypted user credential tokens for roaming.
Furthermore, Mandiant uncovered a critical arbitrary file write vulnerability, identified as CVE-2022-30170, which poses a risk of remote code execution in the context of an authenticated user. Microsoft addressed this vulnerability in a Patch Tuesday update released on September 13, 2022, with the company noting that successful exploitation requires the attacker to log in to Windows, thereby granting remote interactive access to the machine.
This development has direct implications for organizations concerned about cybersecurity threats, as it underscores the need for timely application of security patches. Mandiant’s findings stress the importance of monitoring LDAP activity in Active Directory environments and applying necessary updates to defend against such vulnerabilities. Business owners are encouraged to take proactive measures to safeguard their systems effectively.
