A vulnerability in the Credential Roaming function has become a weapon in the hands of attackers.
The APT29 group used Credential Roaming after a successful phishing attack on an unnamed European diplomatic institution. This was reported by Mandiant experts, who discovered the use of Credential Roaming after hackers from APT29 visited the victim's network by executing many LDAP queries with atypical properties in the Active Directory system.
Credential Roaming was first introduced in Windows Server 2003 Service Pack 1 (SP1) and is a mechanism that allows users to securely access their credentials (i.e. private keys and certificates) on different workstations in a Windows domain.
After examining the internal mechanisms of the function, Mandiant discovered what the attackers took advantage of - the CVE-2022-30170 vulnerability, which allows hackers to write arbitrary files. This security flaw was fixed as part of the September Patch Tuesday, and to exploit it, an attacker would need to infiltrate the system under the guise of a user.
According to the company's researchers, successful exploitation of the vulnerability allows an attacker to gain remote interactive login rights on a machine where the victim does not have such rights.
Mandiant said the study "provides insight into why APT29 is actively querying the appropriate LDAP attributes in Active Directory" and urged organizations to apply the September fixes as soon as possible.
Comments 0