Amazon Identified Internet Domains Abused by APT29

Summary:
Amazon recently seized domains used by APT 29, a Russian state-backed actor, in a mass email phishing campaign targeting government agencies, enterprises, and militaries. The campaign which was initially identified and disclosed by Ukraine's Computer Emergency Team (CERT-UA), was allegedly aimed at gathering Windows credentials. According to CERT-UA, the emails sent by these actors used lures pertaining to issues of "integration" with Amazon and Microsoft services, and the implementation of a "zero" trust architecture (Zero trust architecture, ZTA). These emails further contained RDP remote desktop protocol setup configuration files, which when executed would grant the actors remote access to the compromised device, including access to the local disk, printers, network resources, and the clipboard, as well as the ability to run third-party programs/scripts.

Security Officer Comments:
A notable aspect of this campaign was the creation of domains that use names impersonating AWS, a common tactic employed by adversaries to trick users by creating a sense of authenticity. Microsoft confirmed that these were not AWS domains, nor was the group after AWS customer credentials.

While APT29 has a history of targeting Ukrainian organizations, the CERT-UA states that this campaign was more widescale, encompassing organizations outside of Ukraine as well. Based on the infrastructure used, the agency noted that the campaign has been underway since at least August 2024. CERT-UA says it reported the activity to Microsoft, which has since then seized the associated domains abused by APT 29.

Suggested Corrections:
To reduce the attack surface, CERT-UA recommends:

  • Blocking ".rdp" files on the mail gateway
  • Blocking the ability to run any ".rdp" files by users (creating exceptions)
  • Settings of the firewall to limit the possibility of establishing RDP connections by the mstsc.exe program to resources on the Internet
  • Setting group policies (administrative template) to prohibit the redirection of computer resources using RDP ("Remote Desktop Services" -> "Remote Desktop Session Host" -> "Device and Resource Redirection" -> " Do not allow...")

The agency has also published IOCs which can be accessed here.

Link(s):
https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats