Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

Also referred to as Cozy Bear, the Dukes, and Yttrium, APT29 is a Russian cyberespionage group likely sponsored by the Russian Foreign Intelligence Service (SVR).

The group is believed to be responsible for multiple high-profile attacks, including the 2016 targeting of the Democratic National Committee (DNC), a 2018 attempt to infiltrate the DNC, and the 2020 SolarWinds attack.

In a May 2022 report, Mandiant revealed that the group had been launching phishing attacks against diplomatic organizations in Europe, the Americas, and Asia, in an attempt to infect them with new malware families.

Now, the Google subsidiary reveals that its investigation into an APT29 incident has led to the discovery of CVE-2022-30170 (CVSS score of 7.3), a vulnerability potentially allowing attackers to gain remote code execution.

Microsoft released patches for CVE-2022-30170 on the September 2022 Patch Tuesday, describing the issue as an elevation of privilege bug.

“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim’s account would not normally hold such privilege,” the tech giant notes.

APT29, Mandiant explains, was querying LDAP attributes related to credential gathering, with one of these attributes being part of credential roaming, which allows for credentials and associated certificates to ‘roam’ with the user between devices.

Initially introduced in Windows Server 2003 SP1, the functionality is still supported in current Windows iterations, relying on the user’s Active Directory account to synchronize login information between devices.

Credential roaming uses msPKIAccountCredentials, a LDAP attribute that stores roaming tokens, and the dimsjob.dll library, which loads another DLL to retrieve data from msPKIAccountCredentials and synchronize the information for each roaming user, as necessary.

While analyzing the mechanism, Mandiant discovered that it contained an arbitrary file write vulnerability, due to improper sanitization of the file path, leading to directory traversal (“..”) characters.

“If an attacker can control the msPKIAccountCredentials LDAP attribute, they may add a malicious roaming token entry where the identifier string contains directory traversal characters and thereby write an arbitrary number of bytes to any file on the file system, posing as the victim account. The only constraint is that the full file name plus directory traversal characters fits within the 92 bytes buffer,” Mandiant explains.

Mandiant has published a proof-of-concept (PoC) roaming token (and PowerShell code to insert the token into the msPKIAccountCredentials LDAP attribute) designed to write a .bat file to the Startup directory.

With the credential roaming service synchronizing the attribute on all systems on which the user logs in, the bat file will execute on any system at login, “thereby achieving remote code execution in the context of the victim user,” Mandiant says.

Organizations are advised to apply the available patches for CVE-2022-30170 as soon as possible, to mitigate exploitation risks.

While the investigation into APT29 operations led to the discovery of CVE-2022-30170, the vulnerability does not appear to have been exploited in attacks.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Russian Cyberspies Target Diplomats With New Malware

Related: Microsoft Raises Alert for Under-Attack Windows Flaw