Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North America and Europe.
The advanced persistent threat group Fancy Bear has used phishing schemes in attacks before, but the number of emails it sent between August and November exploiting a flaw in Microsoft Outlook was a significant escalation, according to researchers with cybersecurity firm Proofpoint.
In a report this week, the researchers said Fancy Bear - also known as APT28, TA422, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta - sent more than 10,000 phishing emails from a single email provider in late summer and into the fall to targets in the defense, aerospace, technology, government, and manufacturing industries.
The threat actors also sent smaller volumes of emails to entities in the higher education, construction, and consulting sectors.
Proofpoint in March detected ismall numbers of phishing emails being sent that exploited the Outlook flaw - tracked as CVE-2023-23397 - which allows an elevation of privileges.
Fancy Bear began exploiting the CVE-2023-23397 flaw last year, using the zero-day exploit to gain initial access into targeted systems.
The threat group was detected using it in April 2022 to target organizations in Ukraine and later expanded its use into Europe.
Microsoft patched the vulnerability in March, but the hackers continued to use it against unpatched systems.
Over the last three months, the threat group also exploited another patched vulnerability - CVE-2023-38831 - a Microsoft WinRAR remote code execution flaw that lets attackers run arbitrary code if users try to open up a file within a ZIP archive.
According to Proofpoint, the Outlook flaw can be exploited without user interaction.
A tailored email is sent to a compromised system that directs traffic to an SMB listener hosted on a compromised Ubiquiti router, a tactic the group has used in the past.
The router is used to detect NTLM authentication and record credential hashes.
NTLM is a suite of security protocols from Microsoft used to authenticate user's identity.
Fancy Bear can then use the stolen NTLM hashes to access email communications.
Microsoft updated its March advisory this month to say that Fancy Bear - which the company calls Forest Blizzard - is continuing to exploit CVE-2023-23397 to get access into email accounts on Exchange servers and to urge users to ensure Outlook is patched.
With the WinRAR flaw, Fancy Bear sent malicious emails through Portugalmail, an email service in that country, in two campaigns.
The emails spoofed geopolitical entities and used the BRICS Summit in South Africa and a meeting of the European Parliament as lures to entice users to open the messages.
As with the other campaign, the goal was to grab NTLM hashes.
The server responded with a request for NTLM methods for authentication and the compromised device would send sensitive NTLM information stored in the Authorization header.
Proofpoint also found Fancy Bear phishing campaigns over the past three months using Mockbin, a legitimate tool used by developers to mock code for testing purposes and targeting organizations in the government and defense sectors with emails enticing users to download ZIP archives that housed malicious.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 06 Dec 2023 16:43:05 +0000