Overview
APT29 (also known as Midnight Blizzard and Cozy Bear) has reappeared with a sophisticated watering‑hole campaign. According to Amazon’s threat‑intelligence team, the group compromised legitimate websites and injected malicious JavaScript that redirected a small portion of visitors to attacker‑controlled pages. These fake Cloudflare “verification” screens lured unsuspecting users into entering their email address, which was then used to exploit Microsoft’s device‑code authentication flow. By abusing this rarely used feature, the attackers could silently authorize their own devices to access the victim’s Microsoft account without needing credentials.
Attack chain and tactics
After compromising legitimate sites, APT29’s operators inserted obfuscated JavaScript that redirected only around 10 % of visitors to avoid detection. Cookies were set to prevent the same user from being redirected repeatedly. Redirected visitors landed on convincingly branded verification pages where they entered their email address. The attackers then walked them through the device‑code flow, effectively granting an OAuth token for the attackers’ device. Amazon’s CISO noted that the team continued disrupting the campaign even after APT29 attempted to migrate infrastructure away from AWS. The threat actor’s history includes spear‑phishing, password spraying and credential‑harvesting campaigns targeting governments, NGOs and tech companies since at least 2008.
Impact and recommended actions
Device‑code authentication attacks are relatively rare but highly effective. They enable attackers to bypass multi‑factor authentication and remain persistent by obtaining long‑lived refresh tokens. Organizations should review Microsoft’s security guidance on device‑code flows and disable the feature if it isn’t needed. Conditional‑access policies that restrict logins based on device compliance, location and risk factors are also recommended. Administrators should monitor authentication logs for unusual device‑code requests and enforce strict controls on OAuth token issuance. Website owners should harden their supply chains by monitoring for unauthorized JavaScript and using Content‑Security Policies to reduce the risk of watering‑hole injections.
Conclusion
APT29’s campaign highlights how nation‑state actors continue to innovate. By blending watering‑hole tactics with abuse of niche authentication flows, the group achieved stealthy credential theft. Amazon’s swift disruption underscores the importance of cloud providers monitoring for abuse on their platforms. Organizations should treat device‑code authentication as a potential risk, enforce conditional access and remain vigilant for unusual login flows.
redsec.ninja 
Leave a comment