- Amazon security experts saw an irrigation hole attack by deceiving users to share Microsoft login credentials
- The attack stopped with the combined efforts of Amazon, Cloudflare and Microsoft
- Amazon warns about the growing sophistication of Cozy Bear
Amazon Security experts say they interrupted a new “watering” campaign made by the group of threat actors sponsored by the Russian state known as APT29 (Midnight Blizzard, or cozy bear).
An irrigation hole attack is when cybercriminals inject malware into a website that generally visit a specific group of people, hoping to compromise their devices when they access it.
In this case, APT29 managed to compromise multiple websites and used them to redirect victims to other domains controlled by the attackers.
Credential collection campaign
It is not known which websites were infected, or how many there were, but the threat actors generally steal, or simply guess, the login credentials of the poorly protected websites, raise their privileges from the inside and then hide the malicious code in sight.
APT29 used the sites to redirect two malicious domains: Findcloudflare[.]com and cloud[.]Redirectspartners[.]com There, they would imitate the authentication flow of Microsoft device device, in an effort to log in to the Microsoft accounts of their victims.
“The current campaign shows its continuous approach to the collection of credentials and intelligence collection, with refinements in its technical approach, and demonstrates an evolution in the APT29 crafts through its ability to compromise legitimate websites and initially inject JavaScript, Redirects-Segerming Redirects” Redirects. “Amazon said.
Amazon also said that approximately 10% of the visitors of the committed websites were being redirected to the domains controlled by the attackers. AWS systems were not committed, and there was no direct impact on AWS services and infrastructure.
To address the threat, the company isolated the affected EC2 instances and, with the help of Cloudflare, interrupted the domains and notified Microsoft.
Then, the attackers tried to move to a different domain, but that also blocked quickly.
How to stay safe
To mitigate potential risks, users must place a credit freezing (or fraud alert) with the three credit offices, preventing new credit accounts from being opened to their name without approval.
They must also monitor their credit reports and use the free identity robbery monitoring transunion offer.
Finally, they must observe their financial accounts closely and be very cautious with incoming emails and other communications. Since the attackers now know their contact information, they can send convincing false emails, text messages or calls that pretend to be banks, government agencies or even transunity.
Through Bleepingcomputer
