Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according to Microsoft.
The US and UK governments have linked this state-sponsored gang to Russia's military intelligence agency, the GRU. Its latest phishing expeditions look to exploit CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.
Microsoft initially patched the Outlook bug in March.
It warned at the time that the flaw had already been exploited in the wild by miscreants in Russia against government, energy, and military sectors in Europe - with a specific focus on Ukraine, according to the EU's CERT org.
Microsoft tracks Fancy Bear as Forest Blizzard, and it used to call the GRU-backed group Strontium.
Some of the compromised Outlook accounts belong to Polish public and private orgs, according to the Polish Cyber Command, which partnered with Microsoft to investigate the attacks.
Specifically, more than 10,000 emails that Proofpoint has attributed to Fancy Bear were sent during the late summer.
All came from a single email provider, to defense, aerospace, technology, government, and manufacturing firms across North America and Europe.
The security shop also noted occasional, smaller-volume phishing campaigns targeting higher education, construction, and consulting businesses.
CVE-2023-23397 can be exploited by a remote, unauthenticated attacker to access a victim's Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker, thus gaining access to email communications.
These phishing emails contained an appointment attachment, using a TNEF file disguised as a CSV, Excel file, or Word document.
The malicious extension contained a UNC path that directed traffic to an SMB listener hosted on a likely compromised Ubiquiti router, according to Proofpoint.
In the past, Fancy Bear has used compromised routers to host its command-and-control nodes, or NTLM listeners [PDF].
Don't forget WinRAR. Plus, using a different set of Portugalmail email addresses the Russian spies also sent phishes exploiting a WinRAR vulnerability, CVE-2023-32231, according to Proofpoint.
This vulnerability, which allows miscreants to execute malware hidden inside legitimate files, was fixed in August - but, it appears, not patched by enough people.
For this campaign, the Russians spoofed geopolitical organizations and used the BRICS Summit and a European Parliament meeting as subject lures.
This campaign is not the same one that other security orgs including Google TAG have previously highlighted as abusing WinRAR, we're told.
Proofpoint explained that the September phishing campaign uses RAR file attachments that exploit CVE-2023-32231 to drop a.cmd file and establish communications with a Responder listener server.
Unsuprisingly, the security shop expects the criminals to continue exploiting both bugs in unpatched systems.
This Cyber News was published on go.theregister.com. Publication date: Wed, 06 Dec 2023 00:43:04 +0000