Amazon Seizes Malicious Domains Used by APT29 in Global Credential-Theft Campaign

Amazon has taken control of domains used by APT29, a Russian state-backed hacking group, to launch targeted phishing attacks on government and military organizations. APT29, also called "Cozy Bear" or "Midnight Blizzard," used these domains to steal Windows credentials and data via rogue Remote Desktop Protocol (RDP) files. While the malicious sites appeared to mimic AWS domains, Amazon clarified that the hackers' target was not AWS or its credentials but Windows login details from the affected organizations. Once notified, Amazon quickly seized the domains to disrupt APT29’s activities. APT29’s recent campaign was notably extensive, with phishing emails sent to numerous global targets, diverging from the group’s usual focus on narrow targeting. Disguised as messages about "Zero Trust" cybersecurity issues related to Amazon and Microsoft, these emails included RDP files that, when opened, allowed attackers to access local disks, printers, audio devices, and more. CERT-UA, Ukraine's cybersecurity agency, issued an advisory to alert users about these "Rogue RDP" attachments, tracked as UAC-0215. They also advised inspecting logs for IP addresses associated with the campaign and recommended actions such as blocking ".rdp" files and disabling RDP resource redirection to limit exposure. APT29 remains a formidable cyber threat, recently targeting high-profile tech companies like TeamViewer and exploiting vulnerabilities in widely-used software. Western intelligence agencies recently cautioned about the group’s widespread abuse of flaws in Zimbra and JetBrains TeamCity servers, emphasizing its growing global impact. Read more...