Russian state-sponsored actors have staged NT LAN Supervisor (NTLM) v2 hash relay assaults by means of numerous strategies from April 2022 to November 2023, focusing on high-value targets worldwide.
The assaults, attributed to an “aggressive” hacking crew known as APT28, have set their eyes on organizations coping with international affairs, power, protection, and transportation, in addition to these concerned with labor, social welfare, finance, parenthood, and native metropolis councils.
Cybersecurity agency Pattern Micro assessed these intrusions as a “cost-efficient technique of automating makes an attempt to brute-force its means into the networks” of its targets, noting the adversary might have compromised 1000’s of e mail accounts over time.
APT28 can also be tracked by the broader cybersecurity group beneath the names Blue Athena, BlueDelta, Fancy Bear, Combating Ursa, Forest Blizzard (previously Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
The group, believed to be lively since a minimum of 2009, is operated by Russia’s GRU navy intelligence service and has a observe document of orchestrating spear-phishing containing malicious attachments or strategic net compromises to activate the an infection chains.
In April 2023, APT28 was implicated in assaults leveraging now-patched flaws in networking tools from Cisco to conduct reconnaissance and deploy malware towards choose targets.
The nation-state actor, in December, got here beneath the highlight for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS rating: 9.8) and WinRAR (CVE-2023-38831, CVSS rating: 7.8) to entry a person’s Internet-NTLMv2 hash and use it to stage an NTLM Relay assault towards one other service to authenticate because the person.
An exploit for CVE-2023-23397 is claimed to have been used to focus on Ukrainian entities as early as April 2022, in keeping with a March 2023 advisory from CERT-EU.
It has additionally been noticed leveraging lures associated to the continued Israel-Hamas warfare to facilitate the supply of a customized backdoor known as HeadLace, alongside placing Ukrainian authorities entities and Polish organizations with phishing messages designed to deploy backdoors and knowledge stealers like OCEANMAP, MASEPIE, and STEELHOOK.
One of many important points of the menace actor’s assaults is the continual try to enhance its operational playbook, fine-tuning and tinkering with its approaches to evade detection.
This consists of the addition of anonymization layers equivalent to VPN providers, Tor, information heart IP addresses, and compromised EdgeOS routers to hold out scanning and probing actions. One other tactic entails sending spear-phishing messages from compromised e mail accounts over Tor or VPN.
“Pawn Storm has additionally been utilizing EdgeOS routers to ship spear-phishing emails, carry out callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing web sites,” safety researchers Feike Hacquebord and Fernando Merces mentioned.
“A part of the group’s post-exploitation actions contain the modification of folder permissions inside the sufferer’s mailbox, resulting in enhanced persistence,” the researchers mentioned. “Utilizing the sufferer’s e mail accounts, lateral motion is feasible by sending extra malicious e mail messages from inside the sufferer group.”
It is presently not recognized if the menace actor themselves breached these routers, or whether it is utilizing routers that have been already compromised by a third-party actor. That mentioned, at least 100 EdgeOS routers are estimated to have been contaminated.
Moreover, latest credential harvesting campaigns towards European governments have used bogus login pages mimicking Microsoft Outlook which might be hosted on webhook[.]web site URLs, a sample beforehand attributed to the group.
An October 2022 phishing marketing campaign, nevertheless, singled out embassies and different high-profile entities to ship a “easy” data stealer by way of emails that captured recordsdata matching particular extensions and exfiltrated them to a free file-sharing service named Maintain.sh.
“The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the preliminary intrusion, in addition to the post-exploitation actions which may happen as soon as Pawn Storm will get an preliminary foothold in sufferer organizations,” the researchers mentioned.
The event comes as Recorded Future Information revealed an ongoing hacking marketing campaign undertaken by the Russian menace actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and teachers to redirect potential victims to credential harvesting pages.
