Ethical Hacking News
Amazon has disrupted a sophisticated watering hole campaign orchestrated by APT29, a Russia-linked hacking group. The campaign utilized compromised websites to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow, highlighting the need for organizations to prioritize security against such tactics.
Amazon disrupted a watering hole campaign orchestrated by APT29, also known as BlueBravo. APT29 used compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. The attacks involved injecting JavaScript that redirected approximately 10% of visitors to actor-controlled domains, mimicking legitimate verification pages. Apt29 employed various evasion techniques, including Base64 encoding and shifting to new infrastructure when blocked. The disruption highlights the importance of device code authentication flow security and the need for organizations to remain vigilant against such tactics.
Amazon has disrupted a watering hole campaign orchestrated by the Russia-linked Advanced Persistent Threat (APT) group APT29, also known as BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes. This campaign utilized compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow.
According to Amazon's Chief Information Security Officer CJ Moses, the APT29 actors employed a "compromised website to redirect visitors to malicious infrastructure" in order to entice victims into entering a legitimate device code generated by the threat actor into a sign-in page. This technique was detailed by both Microsoft and Volexity back in February 2025.
The attacks involved APT29 compromising various legitimate websites and injecting JavaScript that redirected approximately 10% of visitors to actor-controlled domains, such as findcloudflare[.]com, that mimicked Cloudflare verification pages to give an illusion of legitimacy. In reality, the end goal of the campaign was to entice victims into entering a legitimate device code generated by the threat actor into a sign-in page, effectively granting them access to their Microsoft accounts and data.
The activity is also noteworthy for incorporating various evasion techniques, such as Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects of the same visitor, and shifting to new infrastructure when blocked. Despite these attempts, Amazon's threat intelligence team was able to disrupt the campaign by tracking and interrupting APT29's operations.
The disruption is significant, as it highlights the continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts. This opportunistic approach illustrates APT29's continued growth in sharpening their tradecraft and expanding their threat landscape.
Furthermore, this incident underscores the importance of device code authentication flow security and the need for organizations to remain vigilant against such tactics. Microsoft has previously warned about the dangers of compromised websites and malicious scripts designed to manipulate users into authorizing attacker-controlled devices.
The APT29 group is a state-sponsored hacking collective with ties to Russia's Foreign Intelligence Service (SVR). In recent months, they have been linked to attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files to target Ukrainian entities and exfiltrate sensitive data. The group has also adopted various phishing methods, including device code phishing and device join phishing, to obtain unauthorized access to Microsoft 365 accounts.
The disruption of this watering hole campaign by Amazon demonstrates the organization's commitment to threat intelligence and its ability to track and disrupt adversary operations. This incident serves as a reminder of the importance of staying informed about emerging threats and adapting security measures accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/Apt29s-Watering-Hole-Campaign-Amazon-Disrupts-Microsoft-Device-Code-Authentication-Abusing-ehn.shtml
https://thehackernews.com/2025/08/amazon-disrupts-apt29-watering-hole.html
https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/
Published: Fri Aug 29 10:01:57 2025 by llama3.2 3B Q4_K_M
