Russian-Backed Hackers Target High-Value US, European Entities

Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North America and Europe.
The advanced persistent threat group Fancy Bear has used phishing schemes in attacks before, but the number of emails it sent between August and November exploiting a flaw in Microsoft Outlook was a significant escalation, according to researchers with cybersecurity firm Proofpoint.
In a report this week, the researchers said Fancy Bear - also known as APT28, TA422, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta - sent more than 10,000 phishing emails from a single email provider in late summer and into the fall to targets in the defense, aerospace, technology, government, and manufacturing industries.
The threat actors also sent smaller volumes of emails to entities in the higher education, construction, and consulting sectors.
Proofpoint in March detected ismall numbers of phishing emails being sent that exploited the Outlook flaw - tracked as CVE-2023-23397 - which allows an elevation of privileges.
Fancy Bear began exploiting the CVE-2023-23397 flaw last year, using the zero-day exploit to gain initial access into targeted systems.
The threat group was detected using it in April 2022 to target organizations in Ukraine and later expanded its use into Europe.
Microsoft patched the vulnerability in March, but the hackers continued to use it against unpatched systems.
Over the last three months, the threat group also exploited another patched vulnerability - CVE-2023-38831 - a Microsoft WinRAR remote code execution flaw that lets attackers run arbitrary code if users try to open up a file within a ZIP archive.
According to Proofpoint, the Outlook flaw can be exploited without user interaction.
A tailored email is sent to a compromised system that directs traffic to an SMB listener hosted on a compromised Ubiquiti router, a tactic the group has used in the past.
The router is used to detect NTLM authentication and record credential hashes.
NTLM is a suite of security protocols from Microsoft used to authenticate user's identity.
Fancy Bear can then use the stolen NTLM hashes to access email communications.
Microsoft updated its March advisory this month to say that Fancy Bear - which the company calls Forest Blizzard - is continuing to exploit CVE-2023-23397 to get access into email accounts on Exchange servers and to urge users to ensure Outlook is patched.
With the WinRAR flaw, Fancy Bear sent malicious emails through Portugalmail, an email service in that country, in two campaigns.
The emails spoofed geopolitical entities and used the BRICS Summit in South Africa and a meeting of the European Parliament as lures to entice users to open the messages.
As with the other campaign, the goal was to grab NTLM hashes.
The server responded with a request for NTLM methods for authentication and the compromised device would send sensitive NTLM information stored in the Authorization header.
Proofpoint also found Fancy Bear phishing campaigns over the past three months using Mockbin, a legitimate tool used by developers to mock code for testing purposes and targeting organizations in the government and defense sectors with emails enticing users to download ZIP archives that housed malicious.


This Cyber News was published on securityboulevard.com. Publication date: Wed, 06 Dec 2023 16:43:05 +0000


Cyber News related to Russian-Backed Hackers Target High-Value US, European Entities

Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
10 months ago Bleepingcomputer.com
FSB arrests Russian hackers working for Ukrainian cyber forces - The Russian Federal Security Service arrested two individuals believed to have helped Ukrainian forces carry out cyberattacks to disrupt Russian critical infrastructure targets. Both suspects were taken into custody one same day in two different ...
10 months ago Bleepingcomputer.com
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
10 months ago Bleepingcomputer.com
Poland says Russian military hackers target its govt networks - Poland says a state-backed threat group linked to Russia's military intelligence service has been targeting Polish government institutions throughout the week. According to evidence found by CSIRT MON, the country's Computer Security Incident ...
5 months ago Bleepingcomputer.com
Russian hackers wiped thousands of systems in KyivStar attack - The Russian hackers behind a December breach of Kyivstar, Ukraine's largest telecommunications service provider, have wiped almost all systems on the telecom operator's network. Following the incident, Kyivstar's mobile and data services went down, ...
9 months ago Bleepingcomputer.com
Microsoft Cloud Users Store Personal Data In Europe - In effort to resolve privacy worries, Microsoft is to allow its cloud customers to store all personal data within EU. Microsoft has confirmed that it will allow cloud customers to store all their personal data within the European Union, in an effort ...
8 months ago Silicon.co.uk
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
10 months ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
8 months ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
8 months ago Bleepingcomputer.com
HPE: Russian hackers breached its security team's email accounts - Hewlett Packard Enterprise disclosed today that suspected Russian hackers known as Midnight Blizzard gained access to the company's Microsoft Office 365 email environment to steal data from its cybersecurity team and other departments. Midnight ...
8 months ago Bleepingcomputer.com
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
9 months ago Bleepingcomputer.com
Ukraine says it hacked Russian aviation agency, leaks data - Ukraine's intelligence service, operating under the Defense Ministry, claims they hacked Russia's Federal Air Transport Agency, 'Rosaviatsia,' to expose a purported collapse of Russia's aviation sector. Rosaviatsia is the agency responsible for ...
10 months ago Bleepingcomputer.com
Who Is Behind Pro-Ukrainian Cyberattacks on Iran? - COMMENTARY. Ukrainian cyber forces have attacked Russian infrastructure and assets almost since the first day of the Russian invasion of Ukraine on Feb. 24, 2022. While its mainstay is denial-of-service attacks that have knocked out the Russian ...
8 months ago Darkreading.com
FBI disrupts Moobot botnet used by Russian military hackers - The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies. This network of hundreds of ...
7 months ago Bleepingcomputer.com
7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence — ENISA - 7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence The Association of European Distribution System Operators (E.DSO), the European Energy Information Sharing and Analysis Centre (EE-ISAC), the European Network for Cyber ...
1 week ago Enisa.europa.eu
Russian-Backed Hackers Target High-Value US, European Entities - Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North ...
10 months ago Securityboulevard.com
Ukrainian military says it hacked Russia's federal tax agency - The Ukrainian government's military intelligence service says it hacked the Russian Federal Taxation Service, wiping the agency's database and backup copies. Following this operation, carried out by cyber units within Ukraine's Defense Intelligence, ...
9 months ago Bleepingcomputer.com
Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
1 year ago Securityweek.com
Russian military hackers target Ukraine with new MASEPIE malware - Ukraine's Computer Emergency Response Team is warning of a new phishing campaign that allowed Russia-linked hackers to deploy previously unseen malware on a network in under one hour. APT28, aka Fancy Bear or Strontium, is a Russian state-sponsored ...
9 months ago Bleepingcomputer.com
Third Of European Businesses Have Adopted AI, AWS - AWS finds AI already adopted at sizeable number of European businesses, resulting in increased revenues, productivity. An insight into the adoption rate of artificial intelligence within the business community has been offered in a new report from ...
8 months ago Silicon.co.uk
Feds arrest Russians accused of tech smuggling operation The Register - Three Russian nationals were arrested in New York yesterday on charges of moving electronics components worth millions to sanctioned entities in Russia, pieces of which were later recovered on battlefields in Ukraine. Nikolay Goltsev, a ...
10 months ago Theregister.com
Ukrainian activists hack Trigona ransomware gang, wipe servers - A group of cyber activists under the Ukrainian Cyber Alliance banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated ...
10 months ago Bleepingcomputer.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
8 months ago Bleepingcomputer.com
US sanctions Russian for cleaning Ryuk's and oligarchs' cash The Register - A Russian woman the US accuses of being a career money launderer is the latest to be sanctioned by the country for her alleged role in moving hundreds of millions of dollars on behalf of oligarchs and ransomware criminals. Among these was her alleged ...
10 months ago Theregister.com
Detained Russian student allegedly helped Ukrainian hackers with cyberattacks - A Russian tech student could face treason charges for helping Ukrainian hackers carry out cyberattacks against Russia. A resident of the Siberian city of Tomsk, Seymour Israfilov was detained by Russian security services in October, but little ...
8 months ago Therecord.media

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)