• Amazon security experts spotted a watering hole attack tricking users into sharing Microsoft login credentials
  • The attack was stopped with the combined efforts of Amazon, Cloudflare, and Microsoft
  • Amazon is warning about Cozy Bear’s increasing sophistication

Amazon’s security experts say they disrupted a new “watering hole” campaign conducted by the Russian state-sponsored threat actor group known as APT29 (Midnight Blizzard, or Cozy Bear).

A watering hole attack is when cybercriminals inject malware into a website usually visited by a specific group of people, hoping to compromise their devices when they access it.

In this case, APT29 managed to compromise multiple websites, and used them to redirect the victims to other, attacker-controlled domains.

Credential harvesting campaign

Its not known which websites were infected, or how many there were, but threat actors typically steal, or simply guess, the login credentials of poorly protected websites, elevate their privileges from the inside, and then hide malicious code in plain sight.

APT29 used the sites to redirect victims to two malicious domains: findcloudflare[.]com, and cloudflare[.]redirectpartners[.]com. There, they would mimic Microsoft’s usual device code authentication flow, in an effort to log into their victims’ Microsoft accounts.

“The current campaign shows their continued focus on credential harvesting and intelligence collection, with refinements to their technical approach, and demonstrates an evolution in APT29’s tradecraft through their ability to compromise legitimate websites and initially inject obfuscated JavaScript, rapidly adapt infrastructure when faced with disruption and, on new infrastructure, adjust from use of JavaScript redirects to server-side redirects,” Amazon said in its report.

Amazon also said approximately 10% of the compromised websites’ visitors were being redirected to attacker-controlled domains. AWS systems were not compromised, and there was no direct impact on AWS services and infrastructure.

To tackle the threat, the company isolated the affected EC2 instances and, with the help of Cloudflare, disrupted the domains and notified Microsoft.

The attackers then tried to move to a different domain, but that one was quickly blocked, as well.

How to stay safe

To mitigate potential risks, users should place a credit freeze (or fraud alert) with all three credit bureaus, preventing new credit accounts from being opened in their name without approval.

They should also monitor their credit reports, and use TransUnion’s offer of free identity theft monitoring.

Finally, they should watch their financial accounts closely, and be extra cautious with incoming emails and other communication. Since attackers now know their contact info, they might send convincing fake emails, texts, or calls pretending to be banks, government agencies, or even TransUnion itself.

Via BleepingComputer

You might also like