The Russian APT28 hacking group has been targeting government entities, businesses, universities, research institutes, and think tanks in France since the second half of 2021. The threat group, which is considered part of Russia's military intelligence service GRU, was recently linked to the exploitation of CVE-2023-38831, a remote code execution vulnerability in WinRAR, and CVE-2023-23397, a zero-day privilege elevation flaw in Microsoft Outlook. The Russian hackers have been compromising peripheral devices on critical networks of French organizations and moving away from utilizing backdoors to evade detection. This is according to a newly published report from ANSSI, the French National Agency for the Security of Information Systems, that conducted investigations on the activities of the cyber-espionage group. ANSSI has mapped the TTPs of APT28, reporting that the threat group uses brute-forcing and leaked databases containing credentials to breach accounts and Ubiquiti routers on targeted networks. Between March 2022 and June 2023, APT28 sent emails to Outlook users that exploited the then zero-day vulnerability now tracked as CVE-2023-23397, placing the initial exploitation a month earlier than what was recently reported. The tools used in the first stages of the attacks include the Mimikatz password extractor and the reGeorg traffic relaying tool, as well as the Mockbin and Mocky open-source services. ANSSI also reports that APT28 uses a range of VPN clients, including SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure. As a cyber-espionage group, data access and exfiltration are at the core of Strontium's operational goals. ANSSI has observed the threat actors retrieving authentication information using native utilities and stealing emails containing sensitive information and correspondence. Specifically, the attackers exploit CVE-2023-23397 to trigger an SMB connection from the targeted accounts to a service under their control, allowing the retrieval of the NetNTLMv2 authentication hash, which can be used on other services, too. APT28's command and control server infrastructure relies on legitimate cloud services, such as Microsoft OneDrive and Google Drive, to make the exchange less likely to raise any alarms by traffic monitoring tools. Finally, ANSSI has seen evidence that the attackers collect data using the CredoMap implant, which targets information stored in the victim's web browser, such as authentication cookies. Mockbin and the Pipedream service are also involved in the data exfiltration process. ANSSI emphasizes a comprehensive approach to security, which entails assessing risks. In the case of the APT28 threat, focusing on email security is crucial. For more details on ANSSI's findings and defense tips, check out the full report here. European govt email servers hacked using Roundcube zero-day. ToddyCat hackers use 'disposable' malware to target Asian telecoms. Lazarus hackers breach aerospace firm with new LightlessCan malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000