Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

An analysis of the numerous LDAP queries that Russian cyberespionage group APT29 had made to the Active Directory system has led to the discovery of a vulnerability in Windows’ ‘credential roaming’ functionality.

Also referred to as Cozy Bear, the Dukes, and Yttrium, APT29 is a Russian cyberespionage group likely sponsored by the Russian Foreign Intelligence Service (SVR).

The group is believed to be responsible for multiple high-profile attacks, including the 2016 targeting of the Democratic National Committee (DNC), a 2018 attempt to infiltrate the DNC, and the 2020 SolarWinds attack.

In a May 2022 report, Mandiant revealed that the group had been launching phishing attacks against diplomatic organizations in Europe, the Americas, and Asia, in an attempt to infect them with new malware families.

Now, the Google subsidiary reveals that its investigation into an APT29 incident has led to the discovery of CVE-2022-30170 (CVSS score of 7.3), a vulnerability potentially allowing attackers to gain remote code execution.

Microsoft released patches for CVE-2022-30170 on the September 2022 Patch Tuesday, describing the issue as an elevation of privilege bug.

“An attacker who successfully exploited the vulnerability could gain remote interactive logon rights to a machine where the victim’s account would not normally hold such privilege,” the tech giant notes.

APT29, Mandiant explains, was querying LDAP attributes related to credential gathering, with one of these attributes being part of credential roaming, which allows for credentials and associated certificates to ‘roam’ with the user between devices.

Advertisement. Scroll to continue reading.

Initially introduced in Windows Server 2003 SP1, the functionality is still supported in current Windows iterations, relying on the user’s Active Directory account to synchronize login information between devices.

Credential roaming uses msPKIAccountCredentials, a LDAP attribute that stores roaming tokens, and the dimsjob.dll library, which loads another DLL to retrieve data from msPKIAccountCredentials and synchronize the information for each roaming user, as necessary.

While analyzing the mechanism, Mandiant discovered that it contained an arbitrary file write vulnerability, due to improper sanitization of the file path, leading to directory traversal (“..”) characters.

“If an attacker can control the msPKIAccountCredentials LDAP attribute, they may add a malicious roaming token entry where the identifier string contains directory traversal characters and thereby write an arbitrary number of bytes to any file on the file system, posing as the victim account. The only constraint is that the full file name plus directory traversal characters fits within the 92 bytes buffer,” Mandiant explains.

Mandiant has published a proof-of-concept (PoC) roaming token (and PowerShell code to insert the token into the msPKIAccountCredentials LDAP attribute) designed to write a .bat file to the Startup directory.

With the credential roaming service synchronizing the attribute on all systems on which the user logs in, the bat file will execute on any system at login, “thereby achieving remote code execution in the context of the victim user,” Mandiant says.

Organizations are advised to apply the available patches for CVE-2022-30170 as soon as possible, to mitigate exploitation risks.

While the investigation into APT29 operations led to the discovery of CVE-2022-30170, the vulnerability does not appear to have been exploited in attacks.

Related: Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws

Related: Russian Cyberspies Target Diplomats With New Malware

Related: Microsoft Raises Alert for Under-Attack Windows Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.