Amazon’s threat intelligence team has disclosed details of a “years-long” Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025.
Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure. The activity has been attributed with high confidence to the GRU-affiliated APT44, which is also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear.
The activity is notable for using as initial access vectors misconfigured customer network edge devices with exposed management interfaces, as N-day and zero-day vulnerability exploitation activity declined over the time period – indicative of a shift in attacks aimed at critical infrastructure, the tech giant said.
“This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure,” CJ Moses, Chief Information Security Officer (CISO) of Amazon Integrated Security, said.
The attacks have been found to leverage the following vulnerabilities and tactics over the course of five years –
- 2021-2022 – Exploitation of WatchGuard Firebox and XTM flaw (CVE-2022-26318) and targeting of misconfigured edge network devices
- 2022-2023 – Exploitation of Atlassian Confluence flaws (CVE-2021-26084 and CVE-2023-22518) and continued targeting of misconfigured edge network devices
- 2024 – Exploitation of Veeam flaw (CVE-2023-27532) and continued targeting of misconfigured edge network devices
- 2025 – Sustained targeting of misconfigured edge network devices
The intrusion activity, per Amazon, singled out enterprise routers and routing infrastructure, VPN concentrators and remote access gateways, network management appliances, collaboration and wiki platforms, and cloud-based project management systems.
These efforts are likely designed to facilitate credential harvesting at scale, given the threat actor’s ability to position themselves strategically on the network edge to intercept sensitive information in transit. Telemetry data has also uncovered what has been described as coordinated attempts aimed at misconfigured customer network edge devices hosted on Amazon Web Services (AWS) infrastructure.
“Network connection analysis shows actor-controlled IP addresses establishing persistent connections to compromised EC2 instances operating customers’ network appliance software,” Moses said. “Analysis revealed persistent connections consistent with interactive access and data retrieval across multiple affected instances.”
In addition, Amazon said it observed credential replay attacks against victim organizations’ online services as part of attempts to obtain a deeper foothold into targeted networks….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
