CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Identity & Access·Cloud Security

Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users

The Midnight Blizzard cyberspies used compromised websites to trick users into authorizing devices they controlled. The post Amazon Disrupts Russian Hacking Campaign Targeting Microsoft Users appeared first on SecurityWeek.

Amazon has disrupted a Russian watering hole campaign targeting Microsoft users via compromised websites opportunistically redirecting users to malicious infrastructure.

Attributed to the state-sponsored cyberespionage group known as Midnight Blizzard (also tracked as APT29, Cozy Bear, the Dukes, and Yttrium) and believed to be sponsored by the Russian Foreign Intelligence Service (SVR), the attacks were focused on credential harvesting and intelligence collection.

The APT compromised legitimate websites and injected JavaScript code that redirected visitors to domains controlled by the attackers, such as findcloudflare[.]com, which mimicked a Cloudflare verification page.

Once redirected to the malicious domains, the victims were tricked into logging into their Microsoft accounts and authorizing devices under the attacker’s control, through the Microsoft device code authentication flow.

According to Amazon CISO CJ Moses, only approximately 10% of the compromised website’s visitors were redirected to the threat actor-controlled domains.

“This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,” Moses notes.

As part of the attacks, Midnight Blizzard relied on randomization to only redirect a small percentage of visitors, hid malicious code using base64 encoding, and set up cookies to prevent the repeated redirection of the same victims.

When blocked, the attackers quickly set up new infrastructure, including by moving to a new cloud provider and by registering the domain cloudflare[.]redirectpartners[.]com, AWS says.

“There was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure,” Moses points out.

Last year, Midnight Blizzard impersonated AWS and Microsoft employees to deliver RDP configuration files to unsuspecting users. In June 2025, Google warned of APT’s attacks targeting the “app-specific password” feature to trick Gmail users into providing MFA-free access to their accounts.

Related: Russian State Hackers Target Organizations With Device Code Phishing

Related: HPE Says Personal Information Stolen in 2023 Russian Hack

Related: Russian APT Exploiting 7-Year-Old Cisco Vulnerability: FBI

Related: Norwegian Police Say Pro-Russian Hackers Were Likely Behind Suspected Sabotage at a Dam

Latest News

CYBERNEWSMEDIAPublisher