Connect with us

Hi, what are you looking for?



Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

Also referred to as Cozy Bear, the Dukes, and Yttrium, APT29 is a Russian cyberespionage group likely sponsored by the Russian Foreign Intelligence Service (SVR).

The group is believed to be responsible for multiple high-profile attacks, including the 2016 targeting of the Democratic National Committee (DNC), a 2018 attempt to infiltrate the DNC, and the 2020 SolarWinds attack.

In a May 2022 report, Mandiant revealed that the group had been launching phishing attacks against diplomatic organizations in Europe, the Americas, and Asia, in an attempt to infect them with new malware families.

Now, the Google subsidiary reveals that its investigation into an APT29 incident has led to the discovery of CVE-2022-30170 (CVSS score of 7.3), a vulnerability potentially allowing attackers to gain remote code execution.

Microsoft released patches for CVE-2022-30170 on the September 2022 Patch Tuesday, describing the issue as an elevation of privilege bug.

“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim’s account would not normally hold such privilege,” the tech giant notes.

Advertisement. Scroll to continue reading.

APT29, Mandiant explains, was querying LDAP attributes related to credential gathering, with one of these attributes being part of credential roaming, which allows for credentials and associated certificates to ‘roam’ with the user between devices.

Initially introduced in Windows Server 2003 SP1, the functionality is still supported in current Windows iterations, relying on the user’s Active Directory account to synchronize login information between devices.

Credential roaming uses msPKIAccountCredentials, a LDAP attribute that stores roaming tokens, and the dimsjob.dll library, which loads another DLL to retrieve data from msPKIAccountCredentials and synchronize the information for each roaming user, as necessary.

While analyzing the mechanism, Mandiant discovered that it contained an arbitrary file write vulnerability, due to improper sanitization of the file path, leading to directory traversal (“..”) characters.

“If an attacker can control the msPKIAccountCredentials LDAP attribute, they may add a malicious roaming token entry where the identifier string contains directory traversal characters and thereby write an arbitrary number of bytes to any file on the file system, posing as the victim account. The only constraint is that the full file name plus directory traversal characters fits within the 92 bytes buffer,” Mandiant explains.

Mandiant has published a proof-of-concept (PoC) roaming token (and PowerShell code to insert the token into the msPKIAccountCredentials LDAP attribute) designed to write a .bat file to the Startup directory.

With the credential roaming service synchronizing the attribute on all systems on which the user logs in, the bat file will execute on any system at login, “thereby achieving remote code execution in the context of the victim user,” Mandiant says.

Organizations are advised to apply the available patches for CVE-2022-30170 as soon as possible, to mitigate exploitation risks.

While the investigation into APT29 operations led to the discovery of CVE-2022-30170, the vulnerability does not appear to have been exploited in attacks.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Russian Cyberspies Target Diplomats With New Malware

Related: Microsoft Raises Alert for Under-Attack Windows Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...