Rewterz Threat Alert – APT29 Exploited The Windows Credential Roaming to Compromise A Diplomatic Entity

Severity

High

Analysis Summary

The APT29 nation-state actor with ties to Russia was discovered using Credential Roaming, a ‘lesser-known’ Windows feature, after conducting a successful phishing attack on European diplomatic entity.

Microsoft introduced credential roaming in Windows Server 2003 SP1 and it is still supported in Windows 11 and Windows Server 2022. The capability allows users to roam certificates and other credentials inside a domain.

APT29 aka Nobelium and Cozy Bear are the group which were behind the infamous Solar Wind attacks in 2020. APT29 threat group has previously targeted commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House in 2014. 

The specialists discovered several LDAP requests against the Active Directory system in the attack they were analyzing. These searches had a number of atypical characteristics.

“The queried LDAP attributes relate to usual credential information gathering (e.g. unixUserPassword); however, one attribute in particular stood out: {b7ff5a38-0818-42b0-8110-d3d154c97f24}, or msPKI-CredentialRoamingTokens, which is described by Microsoft as ‘storage of encrypted user credential token BLOBs for roaming’. Upon further inspection, Mandiant identified that this attribute is part of a lesser-known feature of Active Directory: Credential Roaming.”

Further investigating the system’s inner workings led Mandiant to the identification of an arbitrary file write vulnerability that a threat actor may exploit to execute remote code in the context of the logged-in victim.

Microsoft patched the flaw, identified as CVE-2022-30170 on September 13, 2022, highlighting that exploitation required a user to log in to Windows.

The usage of Credential Roaming in an organization allows attackers to exploit saved credentials for privilege escalation. 

Researchers advised organizations to deploy the September 2022 fixes to safeguard themselves against the vulnerability, saying that the research provides insight into why APT29 is aggressively querying the associated LDAP attributes in Active Directory.

Mandiant recommends organizations to check whether Credential Roaming is in use in their environment; and if so, apply the September 2022 patch urgently to remediate CVE-2022-30170. Additionally, organizations that have used Credential Roaming in the past should investigate if the proper clean-up process (as described by Microsoft) was followed, they added.

Impact

• Exploitation of Windows Feature
• Information Theft and Espionage
• Exposure of Sensitive Data

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets