AWS Seizes Phishing Domains of Russian APT29
The Ukrainian Computer Emergency Response Team (CERT-UA) issued a report warning of mass phishing activity by the APT29 group, labeled as “UAC-0215”. APT29, also known as “Cozy Bear” and “Midnight Blizzard”, is a Russian state-sponsored cyber espionage group linked to the Russian SVR.
Amazon stated that the phishing sites created by APT29 were designed to look like AWS domains. However, Amazon’s login credentials were not the direct target of these attacks. Instead, APT29 aimed to obtain login credentials for Windows systems via RDP. The phishing emails contained RDP files with names like “Zero Trust Security Environment Compliance Check.rdp”, which, when opened, automatically initiated connections to malicious servers.
“As soon as we learned of this activity, we immediately began the process of seizing the domains exploited by APT29 that impersonated AWS to disrupt the operation,” stated Amazon.
Internet Archive Attacked by Hackers Again
At the beginning of this month, I informed you about a cyber attack on the Internet Archive, including the Wayback Machine platform. On October 20th, the Internet Archive confirmed the third security breach in a series of escalating cyber attacks.
Hackers exploited API tokens from the Zendesk helpdesk platform to gain access to support tickets, which may contain sensitive information.
It appears that the security breaches are related. On October 9th, 2024, hackers used a GitLab token, which allowed them access to the source code of the Internet Archive, leading to the theft of sensitive data affecting 31 million users.
Another breach targeted the Zendesk support platform of the Internet Archive, where access tokens were exploited. All these attacks are a direct consequence of the same underlying issue – the failure of access token management.
FortiGate Firewall Admins Report Active 0-day Exploitation
Fortinet, a network security software manufacturer, has not yet disclosed details of a critical vulnerability being exploited by attackers to execute malicious code. Fortigate has not released any public advisories or CVE identification, which prevents security experts from tracking this zero-day.
The vulnerability has been discussed since at least October 13th. According to independent researcher Kevin Beaumont, the security flaw stems from the default settings of the FortiManager system, which allow devices with unknown or unauthorized serial numbers to register with the FortiManager dashboard. The vulnerable versions likely include FortiManager 7.6.0 and earlier.
The opacity of FortiGate’s response to this zero-day comes at a time when Carl Windsor, the company’s Chief Information Security Officer, confirmed in May his commitment to “being a model of ethical and responsible product development and vulnerability disclosure.”
POC for NTLM Relay Attack on Windows Server “WinReg”
A proof of concept (POC) exploit has been released for a vulnerability in the remote registry client that can be used to take over a Windows domain. The vulnerability, tracked as CVE-2024-43532, leverages a fallback mechanism in the Windows Registry (WinReg) client implementation, which relies on old transport protocols if SMB transport is not present.
An attacker exploiting this vulnerability can relay NTLM authentication to the ADCS (Active Directory Certificate Services) certification authority, thereby obtaining a user certificate for further domain authentication.
The flaw affects all versions of Windows Server from 2008 to 2022, as well as Windows 10 and Windows 11. Microsoft has already released a patch.
