Software security
Amazon's threat intelligence team successfully disrupted a sophisticated credential theft campaign by APT29, the Russian intelligence-linked hacking group behind the 2020 SolarWinds attack. The operation compromised legitimate websites to inject malicious code that redirected 10% of visitors to fake Cloudflare verification pages.
Once there, users were tricked into entering email addresses and authorizing attackers' devices to access their Microsoft accounts through a rare "device code authentication" technique. APT29 used Amazon EC2 instances and other cloud infrastructure to blend with legitimate traffic.
Despite the group's attempts to migrate infrastructure after detection, Amazon continued tracking and disrupting their operations. Security experts recommend organizations review Microsoft's device authentication guidance and consider disabling the feature if unnecessary.
Source: Dark Reading
Amazon's threat intelligence team successfully disrupted a sophisticated credential theft campaign by APT29, the Russian intelligence-linked hacking group behind the 2020 SolarWinds attack. The operation compromised legitimate websites to inject malicious code that redirected 10% of visitors to fake Cloudflare verification pages.
Once there, users were tricked into entering email addresses and authorizing attackers' devices to access their Microsoft accounts through a rare "device code authentication" technique. APT29 used Amazon EC2 instances and other cloud infrastructure to blend with legitimate traffic.
Despite the group's attempts to migrate infrastructure after detection, Amazon continued tracking and disrupting their operations. Security experts recommend organizations review Microsoft's device authentication guidance and consider disabling the feature if unnecessary.
Source: Dark Reading
