Russian state-sponsored hacking group APT29, also known as Cozy Bear, The Dukes, and Iron Hemlock, has attacked an unnamed European diplomatic organization using the Windows Credential Roaming feature, according to The Hacker News.
Windows Credential Roaming utilization was initially identified by Mandiant researchers upon APT29's entry to the organization's network early this year, wherein various LDAP queries with unusual properties have been conducted against the Active Directory system. Attackers could also leverage an arbitrary file write flaw, tracked as CVE-2022-3170, to prompt remote code execution should they log in to Windows, noted Mandiant researchers.
"An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim's account would not normally hold such privilege," researchers added.
Mandiant has called for the immediate remediation of the vulnerability, which has already been addressed by Microsoft in updates issued during September's Patch Tuesday.