Threat Management

Windows Credential Roaming in new APT29 attack

Share

Russian state-sponsored hacking group APT29, also known as Cozy Bear, The Dukes, and Iron Hemlock, has attacked an unnamed European diplomatic organization using the Windows Credential Roaming feature, according to The Hacker News. Windows Credential Roaming utilization was initially identified by Mandiant researchers upon APT29's entry to the organization's network early this year, wherein various LDAP queries with unusual properties have been conducted against the Active Directory system. Attackers could also leverage an arbitrary file write flaw, tracked as CVE-2022-3170, to prompt remote code execution should they log in to Windows, noted Mandiant researchers. "An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim's account would not normally hold such privilege," researchers added. Mandiant has called for the immediate remediation of the vulnerability, which has already been addressed by Microsoft in updates issued during September's Patch Tuesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.