Amazon has effectively thwarted a watering hole campaign orchestrated by the Russian APT29, known as Midnight Blizzard, which exploited compromised websites to undermine Microsoft authentication through malicious redirects.
The incident came to light when Amazon’s security team discerned new activities from APT29, a threat group correlated with Russia’s Foreign Intelligence Service (SVR). This time, the group implemented a watering hole approach, embedding harmful code into legitimate sites that redirected unaware users to infrastructure controlled by the attackers.
The primary objective of this campaign was to deceive users into approving unauthorized devices via Microsoft’s device code authentication system, a method that could potentially provide the attackers with access to sensitive accounts.
Waterholing is a particular type of cyber assault where malicious actors compromise popular websites frequented by specific target demographics, aiming to infect their devices with malware upon their visitation. This technique allows for a more strategic and insidious approach to targeting individuals rather than casting a wide net through phishing campaigns.
Previously, APT29 utilized phishing strategies involving fraudulent AWS domains and targeted attacks against academics and critics of the Russian government. However, this latest campaign signifies a shift towards redirecting users from compromised websites to malicious domains.
According to details disclosed in Amazon’s corporate blog, overseen by the company’s Chief Information Security Officer, CJ Moses, only approximately 10% of visitors fell victim to the redirection. This limited success allowed the attackers to operate under the radar while still managing to reach specific victims.
The Technical Side of It
The underpinning technical strategies of this operation revealed sophisticated measures designed for longevity. The malicious JavaScript in use was obfuscated and encoded in base64, making it challenging for detection mechanisms. Cookies were employed to control redirection frequencies for users, and when certain domains were blacklisted, attackers swiftly transitioned to alternative infrastructures. Some fabricated web pages were designed to mimic Cloudflare verification screens, rendering them plausible enough to mislead unsuspecting visitors.
Upon discovery of the attack, Amazon took immediate action by isolating the affected EC2 instances, collaborating with Cloudflare and other service providers to terminate the malicious domains, and sharing valuable intelligence with Microsoft. Even after APT29 shifted operations to another cloud service and registered new deceptive domains, Amazon persisted in monitoring and disrupting their efforts to minimize the campaign’s impact.
Keep An Eye
While multi-factor authentication remains one of the most effective cybersecurity measures, it is imperative that users verify Microsoft’s device code authentication carefully before granting approvals. Fortunately, the collaborative response from organizations such as Amazon, Microsoft, and Cloudflare successfully pressured APT29 to terminate their activities, although the ongoing threat of their resurgence with new tactics remains a concern for all stakeholders in security.
