Amazon Seizes Domains Used by Russian Hackers Targeting Windows Users | Strategic Revenue

SEATTLE, WA – Online shopping retail giant Amazon this week seized multiple internet domains that have been utilized by Russian hackers to launch phishing attacks that targeted users of Microsoft’s Windows operating system.

Chief Information Security Officer at Amazon, CJ Moses, announced in a blog post that Midnight Blizzard, otherwise known as APT29 – a threat actor directly sponsored by the Russian government – had been targeting government agencies, empires, and military organizations with large scale phishing attacks.

The reason Amazon stepped-in is that the attacks launched by Midnight Blizzard were done while impersonating the company’s cloud arm, known as Amazon Web Services (AWS); recipients of the phishing emails noted they were written in Ukrainian, reports say.

However, it was revealed that the goal of the Midnight Blizzard campaign was to steal Windows credentials to use through Windows Remote Desktop, as opposed to targeting AWS or stealing AWS credentials from the service’s users.

🚨 Russian state hackers from #CozyBear (#MidnightBlizzard) group are targeting over 100 organizations globally with a new phishing campaign using signed RDP files disguised as legitimate docs.#CyberSecurity #CyberAttack #Phishing #Russia

Read: https://t.co/Jr83I3ZdVp
— Hackread.com (@HackRead) October 30, 2024

Moses noted that, in addition to Amazon taking action, CERT-UA – the Computer Emergency Response Team of Ukraine, part of the country’s State Center for Cyber Defense – released a comprehensive update on their usual procedures to help victims tell legitimate communications from cyberattacks carried out by third-parties.

Upon learning of this activity, we immediately initiated the process of seizing the domains APT29 was abusing which impersonated AWS in order to interrupt the operation,” Moses said. “CERT-UA has issued an advisory with additional details on their work.”

We can also use a regular expression to search for *.rdp files in the temporary folders that Outlook uses to detect traces of #MidnightBlizzard / #Nobelium activity 🔍

A short form would be:
\Content.Outlook\[A-Z0-9]{8}\[^\]{1,255}.rdp$

Or as string contains combo:… https://t.co/MqsXOeE8EX pic.twitter.com/IXBHLS6VBp
— Florian Roth (@cyb3rops) October 31, 2024

Midnight Blizzard previously gained a measure of infamy following their attack upon Microsoft earlier in 2024 – with the threat actor gaining access to both corporate email accounts in the company’s cybersecurity and legal departments, as well as those of outside organizations – leading to the tech giant implementing completely new and stringent security policies going forward.

John Colascione

About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®

Leave a Reply Cancel reply