Fancy Bear goes phishing in US, European high-value networks The Register

Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according to Microsoft.
The US and UK governments have linked this state-sponsored gang to Russia's military intelligence agency, the GRU. Its latest phishing expeditions look to exploit CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.
Microsoft initially patched the Outlook bug in March.
It warned at the time that the flaw had already been exploited in the wild by miscreants in Russia against government, energy, and military sectors in Europe - with a specific focus on Ukraine, according to the EU's CERT org.
Microsoft tracks Fancy Bear as Forest Blizzard, and it used to call the GRU-backed group Strontium.
Some of the compromised Outlook accounts belong to Polish public and private orgs, according to the Polish Cyber Command, which partnered with Microsoft to investigate the attacks.
Specifically, more than 10,000 emails that Proofpoint has attributed to Fancy Bear were sent during the late summer.
All came from a single email provider, to defense, aerospace, technology, government, and manufacturing firms across North America and Europe.
The security shop also noted occasional, smaller-volume phishing campaigns targeting higher education, construction, and consulting businesses.
CVE-2023-23397 can be exploited by a remote, unauthenticated attacker to access a victim's Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker, thus gaining access to email communications.
These phishing emails contained an appointment attachment, using a TNEF file disguised as a CSV, Excel file, or Word document.
The malicious extension contained a UNC path that directed traffic to an SMB listener hosted on a likely compromised Ubiquiti router, according to Proofpoint.
In the past, Fancy Bear has used compromised routers to host its command-and-control nodes, or NTLM listeners [PDF].
Don't forget WinRAR. Plus, using a different set of Portugalmail email addresses the Russian spies also sent phishes exploiting a WinRAR vulnerability, CVE-2023-32231, according to Proofpoint.
This vulnerability, which allows miscreants to execute malware hidden inside legitimate files, was fixed in August - but, it appears, not patched by enough people.
For this campaign, the Russians spoofed geopolitical organizations and used the BRICS Summit and a European Parliament meeting as subject lures.
This campaign is not the same one that other security orgs including Google TAG have previously highlighted as abusing WinRAR, we're told.
Proofpoint explained that the September phishing campaign uses RAR file attachments that exploit CVE-2023-32231 to drop a.cmd file and establish communications with a Responder listener server.
Unsuprisingly, the security shop expects the criminals to continue exploiting both bugs in unpatched systems.


This Cyber News was published on go.theregister.com. Publication date: Wed, 06 Dec 2023 00:43:04 +0000


Cyber News related to Fancy Bear goes phishing in US, European high-value networks The Register

Russian-Backed Hackers Target High-Value US, European Entities - Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North ...
10 months ago Securityboulevard.com
Fancy Bear goes phishing in US, European high-value networks The Register - Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according ...
10 months ago Go.theregister.com
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
8 months ago Go.theregister.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
8 months ago Techrepublic.com
Palo Alto Networks and IBM to Jointly Provide AI-Powered Security Offerings - PRESS RELEASE. SANTA CLARA, Calif. and ARMONK, N.Y., May 15, 2024 /PRNewswire/ - Palo Alto Networks, the global cybersecurity leader, and IBM, a leading provider of hybrid cloud and AI, today announced a broad-reaching partnership to deliver ...
5 months ago Darkreading.com
Microsoft Cloud Users Store Personal Data In Europe - In effort to resolve privacy worries, Microsoft is to allow its cloud customers to store all personal data within EU. Microsoft has confirmed that it will allow cloud customers to store all their personal data within the European Union, in an effort ...
9 months ago Silicon.co.uk
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
9 months ago Helpnetsecurity.com
Combat Phishing Attacks With AI-Powered Threat Protection - According to statistics, 81% of organizations have seen an increase in phishing emails since 2020, with an estimated 3.4 billion emails sent every day. AI-generated phishing emails are a sophisticated and evolving cybersecurity threat. ...
8 months ago Gbhackers.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
Russian APT exploiting JetBrains TeamCity vulnerability - A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw. CISA issued a joint government advisory Wednesday to warn users that a Russian advanced ...
10 months ago Techtarget.com
7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence — ENISA - 7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence The Association of European Distribution System Operators (E.DSO), the European Energy Information Sharing and Analysis Centre (EE-ISAC), the European Network for Cyber ...
1 month ago Enisa.europa.eu
The Future of Phishing Email Training for Employees in Cybersecurity - One common method they use is through phishing emails. To counter this changing threat, companies must give importance to providing phishing email training for employees on identifying and responding properly to phishing attempts. Standard training ...
5 months ago Hackread.com
Phishing Campaign Exploits Open Redirection Vulnerability In 'Indeed.com' - Phishing remains one of the most prevalent challenges facing organisations, with more than three billion malicious emails estimated to be sent around the world every day. Owing to the prevalence of the problem, Verizon's 2023 Data Breach ...
7 months ago Cyberdefensemagazine.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
10 months ago Esecurityplanet.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
Third Of European Businesses Have Adopted AI, AWS - AWS finds AI already adopted at sizeable number of European businesses, resulting in increased revenues, productivity. An insight into the adoption rate of artificial intelligence within the business community has been offered in a new report from ...
9 months ago Silicon.co.uk
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
10 months ago Bleepingcomputer.com
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
5 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
1 week ago Tenable.com
Vade Releases 2023 Phishers' Favorites Report - PRESS RELEASE. SAN FRANCISCO, Feb. 15, 2024 /PRNewswire/ - Vade, a global leader in threat detection and response with more than 1.4 billion mailboxes protected, today announced its annual Phishers' Favorites report for 2023. Phishers' Favorites ...
8 months ago Darkreading.com
One Phish, Two Phish, Red Phish, Blue Phish - I sat down for a chat with George Skouroupathis, our phishing expert at Resonance Security. Phishing is often the first step taken by hackers in a larger scam. There are lots of different kinds of phishing attacks, but one of the most prevalent is ...
5 months ago Hackread.com
The European Space Agency Explores Cybersecurity for Space Industry - Cybersecurity for space missions is not optional and should be taken seriously. While Europe's burgeoning commercial space industry is facing some challenges, the European Space Agency is taking specific steps to boost defenses, such as planning to ...
11 months ago Darkreading.com
European firms urge China to give more clarity on data transfer laws - AP Moeller - Maersk A/S Siemens AG BEIJING, Nov 15 - European firms "Urgently" need China to give clearer definitions of key terms in its cross-border data transfer rules, a European business lobby group said on Wednesday, warning firms also stood to ...
11 months ago Reuters.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)