Headline
Russian APT28 Hackers Targeting High-Value Orgs with NTLM Relay Attacks
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an “aggressive” hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide.
The attacks, attributed to an “aggressive” hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.
Cybersecurity firm Trend Micro assessed these intrusions as a “cost-efficient method of automating attempts to brute-force its way into the networks” of its targets, noting the adversary may have compromised thousands of email accounts over time.
APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
The group, believed to be active since at least 2009, is operated by Russia’s GRU military intelligence service and has a track record of orchestrating spear-phishing containing malicious attachments or strategic web compromises to activate the infection chains.
In April 2023, APT28 was implicated in attacks leveraging now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets.
The nation-state actor, in December, came under the spotlight for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7.8) to access a user’s Net-NTLMv2 hash and use it to stage an NTLM Relay attack against another service to authenticate as the user.
An exploit for CVE-2023-23397 is said to have been used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.
It has also been observed leveraging lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace, alongside striking Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers like OCEANMAP, MASEPIE, and STEELHOOK.
One of the significant aspects of the threat actor’s attacks is the continuous attempt to improve its operational playbook, fine-tuning and tinkering with its approaches to evade detection.
This includes the addition of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers to carry out scanning and probing activities. Another tactic entails sending spear-phishing messages from compromised email accounts over Tor or VPN.
“Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites,” security researchers Feike Hacquebord and Fernando Merces said.
“Part of the group’s post-exploitation activities involve the modification of folder permissions within the victim’s mailbox, leading to enhanced persistence,” the researchers said. “Using the victim’s email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization.”
It’s currently not known if the threat actor themselves breached these routers, or if it is using routers that were already compromised by a third-party actor. That said, no less than 100 EdgeOS routers are estimated to have been infected.
Furthermore, recent credential harvesting campaigns against European governments have used bogus login pages mimicking Microsoft Outlook that are hosted on webhook[.]site URLs, a pattern previously attributed to the group.
An October 2022 phishing campaign, however, singled out embassies and other high-profile entities to deliver a “simple” information stealer via emails that captured files matching specific extensions and exfiltrated them to a free file-sharing service named Keep.sh.
“The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations,” the researchers said.
The development comes as Recorded Future News revealed an ongoing hacking campaign undertaken by the Russian threat actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and academics to redirect prospective victims to credential harvesting pages.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first
A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,
By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. “Visiting the link will download a ZIP archive containing three JPG images (
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "
Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239119 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI […]
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction. "External
Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft Outlook Elevation of Privilege Vulnerability