TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.
WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim's system.
Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.
Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America.
The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-.
While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors.
The operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.
TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-.
Earlier, they targeted Ukrainian entities in April 2022 using the same exploit.
Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023.
It's unclear if this was a mistake or a deliberate effort to gather target credentials.
TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets.
In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router.
This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.
Proofpoint's tracking of Portugalmail addresses revealed more TA422 activity.
In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities.
Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a.cmd file.
Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.
Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains.
Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.


This Cyber News was published on gbhackers.com. Publication date: Fri, 08 Dec 2023 06:43:05 +0000


Cyber News related to TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities - Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim's ...
1 year ago Gbhackers.com CVE-2023-23397 CVE-2023-38831 CVE-2023-32231
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
1 year ago Bleepingcomputer.com CVE-2023-38831 CVE-2023-40477 APT28
Microsoft says button to restore classic Outlook is broken - Since the beginning of the year, it has addressed other Outlook issues, including one that causes classic Outlook to crash when writing, replying to, or forwarding an email, and another one that led to Classic Outlook and Microsoft 365 applications ...
2 months ago Bleepingcomputer.com
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
1 year ago Bleepingcomputer.com CVE-2023-38831 APT28 APT29
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
1 year ago Bleepingcomputer.com CVE-2023-23397 CVE-2023-38831 CVE-2021-40444 APT28
Microsoft fixes Outlook Desktop crashes when sending emails - Microsoft has fixed a known issue causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts. These problems were first reported on Microsoft's community website and other social networks by customers saying they were ...
1 year ago Bleepingcomputer.com
Microsoft: Outlook clients not syncing over Exchange ActiveSync - Microsoft warned Outlook for Microsoft 365 users that clients might have issues connecting to email servers via Exchange ActiveSync after a January update. Exchange ActiveSync is an Exchange synchronization protocol using HTTP and XML to let users ...
1 year ago Bleepingcomputer.com
Russian-Backed Hackers Target High-Value US, European Entities - Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North ...
1 year ago Securityboulevard.com CVE-2023-23397 CVE-2023-38831 Fancy Bear APT28
Microsoft fixes connection issue affecting Outlook email apps - Microsoft has fixed a known issue causing desktop and mobile email clients to fail to connect when using Outlook.com accounts. More details on how to use app passwords with apps without two-step verification support can be found in this support ...
1 year ago Bleepingcomputer.com
Optimizing Cybersecurity: How Hackers Use Golang Source Code Interpreter to Evade Detection - Hackers have been upping the stakes when it comes to executing cyberattacks, and an increasingly popular tool in their arsenal is the Golang source code interpreter. Reportedly, the interpreter is used to obfuscate code, thus making it harder for ...
2 years ago Bleepingcomputer.com
Microsoft fixes button that restores classic Outlook client - Since the start of the year, it has fixed other Outlook issues, including one that led to Classic Outlook and Microsoft 365 applications crashing on Windows Server 2016 or Windows Server 2019 systems and another one that triggers classic Outlook ...
2 months ago Bleepingcomputer.com
Akamai discloses zero-click exploit for Microsoft Outlook - While examining a previous bypass mitigation, Akamai Technologies discovered two new Windows vulnerabilities that could allow an attacker to create a zero-click exploit against Microsoft Outlook clients. In a two-part report published Monday, Akamai ...
1 year ago Techtarget.com CVE-2023-35384 CVE-2023-36710 CVE-2023-23397 CVE-2023-29324
Microsoft Outlook December updates trigger ICS security alerts - Microsoft is investigating an issue that triggers Outlook security alerts when trying to open. ICS calendar files after installing December 2023 Patch Tuesday Office security updates. The company also revealed that the security warning will be ...
1 year ago Bleepingcomputer.com CVE-2023-35636
Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug - An espionage group linked to the Russian military continues to use a zero-click vulnerability in Microsoft Outlook in attempts to compromise systems and gather intelligence from government agencies in NATO countries, as well as the United Arab ...
1 year ago Darkreading.com CVE-2023-23397 Fancy Bear APT28
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
1 year ago Bleepingcomputer.com CVE-2023-23397 Fancy Bear APT28
CVE-2019-1205 - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security ...
1 year ago
CVE-2019-1201 - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security ...
1 year ago
Microsoft fixes Outlook drag-and-drop broken by Windows updates - "After installing the January 2025 Windows non-security preview update and subsequent updates on devices running Windows 11, version 24H2, you may find that you are not able to drag and drop emails or calendar items to folders in classic Outlook," ...
3 months ago Bleepingcomputer.com
Hackers Actively Exploiting Outlook Privilege Escalation Flaw - Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool. Exploiting vulnerabilities in Outlook allows hackers to:-. In collaboration with the Polish Cyber Command, ...
1 year ago Cybersecuritynews.com CVE-2023-23397
WinRAR 7.10 Released For 500 Million Users - What's New - Critical fixes target semi-solid archive corruption during updates, a memory allocation error in “-m1” compression mode, and context menu rendering glitches on high-DPI displays. The latest version of the widely-used file compression ...
3 months ago Cybersecuritynews.com
How to Encrypt Emails in Outlook? - If you are sending out a confidential email and are scared of its content getting tampered with in transit, then you should learn how to encrypt an email in Outlook. As of 2023, the global email encryption market size is USD 6.2 billion, which is ...
1 year ago Securityboulevard.com
Microsoft Might Be Sharing Your Outlook Emails Without Your Knowledge - Microsoft's data collection practices are under scrutiny, as a recent report suggests the Outlook for Windows app might be sharing more user information than expected. With this app now default on Windows 11, the impact could be widespread. ...
1 year ago Cysecurity.news
Microsoft warns of CPU spikes when typing in classic Outlook - In recent months, the company also addressed a slew of other Microsoft 365 and Office issues, including a widespread licensing issue blocking access to Microsoft 365 services for some customers with Family subscriptions and a bug triggering Outlook ...
1 month ago Bleepingcomputer.com
Fancy Bear goes phishing in US, European high-value networks The Register - Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according ...
1 year ago Go.theregister.com CVE-2023-23397 CVE-2023-38831 CVE-2023-32231 Fancy Bear
Microsoft fixes Outlook paste, blank calendar rendering issues - As the company explains, users in the Current Channel trying to use the Ctrl+Alt+V paste special keyboard shortcut will see that it doesn't work after updating to Version 2503 Build 18623.20156 because of changes introduced to this ...
1 month ago Bleepingcomputer.com