APT29 abused the Windows Credential Roaming in an attack against a diplomatic entity

Russia-linked APT29 cyberespionage group exploited a Windows feature called Credential Roaming to target a European diplomatic entity.

Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR group, Cozy Bear, Nobelium, and The Dukes) successfully phished a European diplomatic entity. The attack stands out for the use of the Windows Credential Roaming feature.

Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain.

APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

In the attack analyzed by Mandiant, the experts observed numerous LDAP queries with atypical properties performed against the Active Directory system.

“The queried LDAP attributes relate to usual credential information gathering (e.g. unixUserPassword); however, one attribute in particular stood out: {b7ff5a38-0818-42b0-8110-d3d154c97f24}, or msPKI-CredentialRoamingTokens, which is which is described by Microsoft as ‘storage of encrypted user credential token BLOBs for roaming’. ” reads the post published by Mandiant. “Upon further inspection, Mandiant identified that this attribute is part of a lesser-known feature of Active Directory: Credential Roaming.”

The researchers discovered an Arbitrary File Write vulnerability, an attacker can exploit the issue to control the msPKIAccountCredentials LDAP attribute and add a malicious Roaming Token entry where the identifier string contains directory traversal characters. Then the attacker can write an arbitrary number of bytes to any file on the file system, posing as the victim account. The report pointed out that the full file name plus directory traversal characters fits within the 92 bytes buffer.

Successful exploitation of the flaw can allow the attacker to achieve remote code execution in the context of the logged-in user.

Mandiant reported the flaw to MSRC in April 2022, the issue tracked as CVE-2022-30170 was addressed by the IT giant on September 13.

The use of Credential Roaming allows attackers to abuse the saved credentials to escalate privileges. Below some attack scenarios that see attackers to abusing Credential Roaming:

• An organization has not applied the September 2022 patch to each system where Credential Roaming is used.
• An attacker gained Domain Administrator privileges in an organization where Credential Roaming is in use or was used in the past without proper clean-up.
• An attacker has access to the cleartext password of a user where Credential Roaming is in use or was in use in the past.
• An attacker has read access to the msPKIDPAPIMasterKeys attribute on a victim account, but does not have the cleartext password of the victim user.

“Mandiant recommends organizations to check whether Credential Roaming is in use in their environment; and if so, apply the September 2022 patch urgently to remediate CVE-2022-30170.” concludes the report. “Additionally, organizations that have used Credential Roaming in the past should investigate if the proper clean-up process (as described by Microsoft) was followed.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)

[adrotate banner=”5″]

[adrotate banner=”13″]