APT29 using Windows bug to target diplomats

A new report from Mandiant, the cybersecurity firm recently acquired by Google, is reporting that Russian hacking group APT29—also known as “Cozy Bear”—has been detected using the Windows Credential Roaming feature to target diplomats and diplomatic entities. This is in accordance to consistent behavior from “Russian strategic priorities,” per Mandiant.

APT29, or “Cozy Bear”, is a Russian-espionage group that Mandiant has been tracking since 2014, according to their website. It is believed that APT29 is intertwined with the Foreign Intelligence Service (SVR), the Russian external intelligence agency. Mandiant has repeatedly observed APT29 targeting the United States, NATO, and its allied entities over the years.

Mandiant finds that APT29 is increasing the frequency of attacks utilizing Credential Roaming in 2022 due to the escalation of the Russian war with Ukraine.

By exploiting the Microsoft Windows credential roaming feature, the attacker is capable of “following” or “roaming” with the targeted user. This allows the attacker to remotely access target machines without authorization.

The attackers utilize multiple LDAP queries performed against the Windows Active Directory system to perform credential gathering. Credential Roaming was introduced in Windows Server 2003 SP1 and is still supported today in Windows 11 and Windows Server 2022, per Mandiant.

By utilizing the Credential Roaming bug, attackers can perform privilege escalation. In the worst case, the entire Windows domain within the target network could be vulnerable.

System administrators should determine if they have Credential Roaming enabled in their Windows environment. If so, Mandiant recommends applying the September 2022 patch urgently to remediate CVE-2022-30170.