Advanced persistent threat group APT28 is behind ongoing campaigns to steal sensitive government and corporate information.
The threat group is reportedly abusing unpatched instances of a Microsoft Exchange flaw patched nine months ago, according to researchers.
Microsoft incident response researchers and Poland's Cyber Command have blamed APT28 for attacks on Exchange servers in the U.S., Europe and the Middle East that exploited a critical elevation of privileged vulnerability, tracked as CVE-2023-23397.
A patch for the vulnerability, which has a CVSS v3 score of 9.8, was released in March.
Researchers warned at the time that the flaw could pose a significant threat to organizations if it was not mitigated.
Exploitation of the vulnerability involves threat actors sending a specially crafted message to a target's Exchange account.
APT28 has been involved in espionage-focused activities since at least 2019 and has been linked to Russia by U.S. and UK intelligence agencies.
In a Dec. 4 update to a March advisory on CVE-2023-23397, Microsoft's incident response team said they had partnered with the Polish Cyber Command to mitigate techniques used by APT28 in the EoP attacks.
The updated post listed several other vulnerabilities APT28 had been found to be exploiting, including a patched WinRAR vulnerability, CVE-2023-38831.
Microsoft said the group had been leveraging CVE-2023-38831 since at least September to carry out spear-phishing attacks, mainly against Ukrainian government targets.
In a separate post, Polish Cyber Command said it had developed a set of tools that ran on the Exchange environment to identify and mitigate compromises by APT28 that were initiated either through exploitation of CVE-2023-23397 or through brute force attacks.
Microsoft said security teams should ensure Outlook was patched and kept up-to-date to mitigate the threat from APT28.
This Cyber News was published on packetstormsecurity.com. Publication date: Wed, 06 Dec 2023 15:28:05 +0000