{“lastseen”:”2025-08-29T14:05:27″,”description”:”\\n\\nAmazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts.\\n\\nThe campaign used \\”compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow,\\” Amazon’s Chief Information Security Officer CJ Moses said.\\n\\nAPT29, also tracked as BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes, is the name assigned to a state-sponsored hacking group with ties to Russia’s Foreign Intelligence Service (SVR).\\n\\n\\n\\nIn recent months, the prolific threat actor has been linked to attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files to target Ukrainian entities and exfiltrate sensitive data.\\n\\nSince the start of the year, the adversarial collective has been observed adopting various phishing methods, including device code phishing and device join phishing, to obtain unauthorized access to Microsoft 365 accounts.\\n\\nAs recently as June 2025, Google said it observed a threat cluster with affiliations to APT29 weaponizing a Google account feature called application-specific passwords to gain access to victims’ emails. The highly targeted campaign was attributed to UNC6293.\\n\\nThe latest activity identified by Amazon’s threat intelligence team underscores the threat actor’s continued efforts to harvest credentials and gather intelligence of interest, while simultaneously sharpening their tradecraft.\\n\\n\\”This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,\\” Moses said.\\n\\nThe attacks involved APT29 compromising various legitimate websites and injecting JavaScript that redirected approximately 10% of visitors to actor-controlled domains, such as findcloudflare[.]com, that mimicked Cloudflare verification pages to give an illusion of legitimacy.\\n\\n\\n\\nIn reality, the end goal of the campaign was to entice victims into entering a legitimate device code generated by the threat actor into a sign-in page, effectively granting them access to their Microsoft accounts and data. This technique was detailed by both Microsoft and Volexity back in February 2025.\\n\\nThe activity is also noteworthy for incorporating various evasion techniques, such as Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects of the same visitor, and shifting to new infrastructure when blocked.\\n\\n\\”Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, our team continued tracking and disrupting their operations,\\” Moses said. \\”After our intervention, we observed the actor register additional domains such as cloudflare.redirectpartners[.]com, which again attempted to lure victims into Microsoft device code authentication workflows.\\”\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-08-29T13:22:00″,”modified”:”2025-08-29T13:22:30″,”type”:”thn”,”title”:”Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication”,”source”:””,”references”:””,”id”:”THN:82552A5E8890D25C719DBD5CE3D262AF”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/08\/amazon-disrupts-apt29-watering-hole.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T14:05:27″,”description”:”\\n\\nAmazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-14952","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n