- Amazon Security Experts discovered a water hole attack that tricked users into sharing Microsoft Login -Legitimation Information
- The attack was stopped with the combined efforts of Amazon, Cloudflare and Microsoft
- Amazon warns about Cosy Bear’s rising sophistication
Amazon’s security experts say they disturbed a new “Watering Hole” campaign carried out by the Russian state -backed threat actor group known as APT29 (Midnight Blizzard or Cosy Bear).
A water hole attack is when cyber criminal injections malware on a website usually visited by a particular group of people, hoping to compromise on their devices when accessing it.
In this case, APT29 managed to compromise multiple sites and used them to redirect the victims of other, attacking domains.
Credential harvest campaign
It is not known which sites were infected or how many there were, but threat actors typically steal or simply guess the login credentials on poorly protected sites lift their privileges from the inside and then hide malicious code in ordinary vision.
APT29 used the websites to redirect victims to two malicious domains: FindCloudflare[.]com and cloudflare[.]RedirectPartners[.]com. There, they would mimic Microsoft’s usual unit code -approval flow in an attempt to log in to their victims’ Microsoft accounts.
“The current campaign shows their continued focus on credentials and intelligence collection with improvements to their technical approach and demonstrates a development in APT29’s TradeCraft through their ability to compromise in his report.
Amazon also said that approx. 10% of the visitors of the compromised site were redirected to attackers-controlled domains. AWS systems were not compromised and there was no direct impact on AWS services and infrastructure.
To tackle the threat, the company isolated the affected EC2 deposits and disturbed cloudflare using the Cloudflare domains and informed Microsoft.
The attackers then tried to move to another domain, but it was also quickly blocked.
How to remain safe
To mitigate potential risks, users must place a credit freezing (or fraud) with all three credit agencies, preventing new credit accounts from opening in their name without approval.
They should also monitor their credit reports and use Transunion’s offer of monitoring of free identity theft.
Finally, they should see their financial accounts closely and be extra careful with incoming E emails and other communication. Since attackers now know their contact information, they may send convincing false e emails, texts or calls that pretend to be banks, government agencies or even Transunion themselves.
Via Bleeping computer
