Early this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in Microsoft Outlook.
During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public.
Unit 42 researchers discovered a third, recently active campaign in which Fighting Ursa also used this vulnerability.
The group conducted this most recent campaign between September-October 2023, targeting at least nine organizations in seven nations.
Of the 14 nations targeted throughout all three campaigns, all are organizations within NATO member countries, except for entities in Ukraine, Jordan and the United Arab Emirates.
Fighting Ursa is a group associated with Russia's military intelligence and they are well known for their focus on targets of Russian interest - especially those of military interest.
We are publishing this research to highlight Fighting Ursa using this vulnerability in multiple campaigns despite their tactics having been publicized by security industry research documenting this activity.
Prior to the conflict in Ukraine, Fighting Ursa had established a reputation for its hacking in support of Russia's information warfare operations.
Less internationally well known are Fighting Ursa's collective hacking campaigns in the lead-up to Russia's invasion of Ukraine through today.
Three weeks later, Fighting Ursa emailed the first known instance of an exploit using the CVE-2023-23397 vulnerability to target the State Migration Service of Ukraine.
Figure 1 shows Fighting Ursa's last observed attempt to use CVE-2023-23397 in a message sent to a Montenegrin Ministry of Defense account on Oct. 11, 2023.
The NTLM authentication response is an NTLMv2 hash that Fighting Ursa uses to impersonate the victim, accessing and maneuvering within the victim's network.
The targeted victims in these campaigns are all of apparent intelligence value to the Russian military.
The campaigns all used co-opted Ubiquiti networking devices to harvest NTLM authentication messages from victim networks, which is consistent with previous Fighting Ursa campaigns.
Delving into more than 50 observed samples in which Fighting Ursa targeted victims with CVE-2023-23397 provides unique and informative insights into Russian military priorities during a time of international conflict for them.
Threat actors only use these exploits when the rewards associated with the access and intelligence gained outweigh the risk of public discovery of the exploit.
In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already attributed to them, without changing their techniques.
For these reasons, the organizations targeted in all three campaigns were most likely a higher than normal priority for Russian intelligence.
Other than Ukraine, all of the targeted European nations are current members of the North Atlantic Treaty Organization Attackers targeted at least one NATO Rapid Deployable Corps Outside of government organizations, attackers focused on targeting critical infrastructure-related organizations within the following sectors: Energy.
It is rare to have such a detailed understanding of an APT's targeting priorities, especially an APT like Fighting Ursa whose mission mandate is to conduct attacks on behalf of Russia's military.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Thu, 07 Dec 2023 14:14:10 +0000