Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

Also referred to as Cozy Bear, the Dukes, and Yttrium, APT29 is a Russian cyberespionage group likely sponsored by the Russian Foreign Intelligence Service (SVR).

The group is believed to be responsible for multiple high-profile attacks, including the 2016 targeting of the Democratic National Committee (DNC), a 2018 attempt to infiltrate the DNC, and the 2020 SolarWinds attack.

In a May 2022 report, Mandiant revealed that the group had been launching phishing attacks against diplomatic organizations in Europe, the Americas, and Asia, in an attempt to infect them with new malware families.

Now, the Google subsidiary reveals that its investigation into an APT29 incident has led to the discovery of CVE-2022-30170 (CVSS score of 7.3), a vulnerability potentially allowing attackers to gain remote code execution.

Microsoft released patches for CVE-2022-30170 on the September 2022 Patch Tuesday, describing the issue as an elevation of privilege bug.

“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim’s account would not normally hold such privilege,” the tech giant notes.

APT29, Mandiant explains, was querying LDAP attributes related to credential gathering, with one of these attributes being part of credential roaming, which allows for credentials and associated certificates to ‘roam’ with the user between devices.

Advertisement. Scroll to continue reading.

Initially introduced in Windows Server 2003 SP1, the functionality is still supported in current Windows iterations, relying on the user’s Active Directory account to synchronize login information between devices.

Credential roaming uses msPKIAccountCredentials, a LDAP attribute that stores roaming tokens, and the dimsjob.dll library, which loads another DLL to retrieve data from msPKIAccountCredentials and synchronize the information for each roaming user, as necessary.

While analyzing the mechanism, Mandiant discovered that it contained an arbitrary file write vulnerability, due to improper sanitization of the file path, leading to directory traversal (“..”) characters.

“If an attacker can control the msPKIAccountCredentials LDAP attribute, they may add a malicious roaming token entry where the identifier string contains directory traversal characters and thereby write an arbitrary number of bytes to any file on the file system, posing as the victim account. The only constraint is that the full file name plus directory traversal characters fits within the 92 bytes buffer,” Mandiant explains.

Mandiant has published a proof-of-concept (PoC) roaming token (and PowerShell code to insert the token into the msPKIAccountCredentials LDAP attribute) designed to write a .bat file to the Startup directory.

With the credential roaming service synchronizing the attribute on all systems on which the user logs in, the bat file will execute on any system at login, “thereby achieving remote code execution in the context of the victim user,” Mandiant says.

Organizations are advised to apply the available patches for CVE-2022-30170 as soon as possible, to mitigate exploitation risks.

While the investigation into APT29 operations led to the discovery of CVE-2022-30170, the vulnerability does not appear to have been exploited in attacks.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Russian Cyberspies Target Diplomats With New Malware

Related: Microsoft Raises Alert for Under-Attack Windows Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.