Russian threat actor using Windows bug to go after diplomatic targets, analyst warns

A threat group linked to Russia has been using a vulnerability in an obscure Windows feature to conduct cyber-espionage against diplomatic targets, an infosecurity analyst has learned.

APT29, which also goes by the names Cozy Bear, Iron Hemlock, and The Dukes, has been detected by Google-owned cybersecurity firm Mandiant using the Windows Credential Roaming feature to target diplomatic entities in a manner “consistent with Russian strategic priorities.”

Cozy Bear has previously been spotted going after NATO-aligned Western targets, but has also been known to focus its efforts on Russian-affiliated entities in the Commonwealth of Independent States, as well as countries in the Middle East, Asia, and Africa.

It is believed to have doubled down on its targeting of NATO affiliates this year, most likely in response to escalating cyberwar in the wake of Russia’s invasion of Ukraine.

The leveraged Microsoft feature allows documents and credentials to essentially ‘roam’ with a user. Mandiant explained that this could essentially be used by attackers to remotely access target machines without authorization.

“The use of credential roaming in an organization allows attackers to abuse the saved credentials for the purposes of privilege escalation,” it said.

Although Microsoft issued a patch for the vulnerability in September, organizations using Windows Credential Roaming that have not implemented it would still be vulnerable to a breach in this way. Mandiant urges organizations to take the necessary action to remediate the glitch, identified as CVE-2022-30170.

More from Cybernews:

In elections, it’s easier to hack a human than a device

LG unveils stretchable display that could soon be everywhere

Russian hacktivist ‘noise’ may hide real dangers

Meta fires thousands of staff

Reddit and TikTok score low on preventing disinformation campaigns

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked