Russian APT28 hackers target high-value organizations with NTLM relay attacks

Russian APT28 Hackers

Russian state-sponsored actors conducted NT LAN Manager (NTLM) v2 hash relay attacks using a variety of methods from April 2022 to November 2023, targeting high-value targets around the world.

The attacks are attributed to an “aggressive” hacking crew APT28have their eyes on organizations involved in foreign affairs, energy, defense and transportation, as well as those involved in labor, social welfare, finance, parenting and local municipal councils.

Cybersecurity company Trend Micro assessed these intrusions are considered a “cost-efficient method of automating attempts to brute-force access to the networks” of its targets, noting that the adversary may have compromised thousands of email accounts over time.

APT28 is also followed by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy and TA422.

The group, believed to have been active since 2009, is operated by Russia’s GRU military intelligence service and has a track record of orchestrating spear-phishing using malicious attachments or strategic web compromises to activate the infection chains.

In April 2023, APT28 was involved in attacks that used now-patched flaws in Cisco networking equipment to conduct reconnaissance and deploy malware against selected targets.

The nation-state actor came into the spotlight in December for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7, 8) to access a user’s Net-NTLMv2 hash and use it to perform an NTLM Relay attack against another service to authenticate as a user.

According to an investigation, an exploit for CVE-2023-23397 was allegedly used to attack Ukrainian entities as early as April 2022. Advice March 2023 of CERT-EU.

Decoys related to the ongoing war between Israel and Hamas have also been observed being used to facilitate the delivery of a customized backdoor called HeadLace, in addition to targeting Ukrainian government agencies and Polish organizations with phishing messages that are designed to prevent backdoors and information stealers such as OCEANMAP, MASEPIE and StaalHAAK.

One of the important aspects of the threat actor’s attacks is its continued effort to improve its operational playbook by refining and tinkering its approaches to evade detection.

NTLM relay attacks

This includes the addition of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers to perform scanning and probing activities. Another tactic is sending spearphishing messages from compromised email accounts via Tor or VPN.

“Pawn Storm also used EdgeOS routers to send spear-phishing emails, execute callbacks from CVE-2023-23397 exploits in Outlook, and steal proxy credentials on phishing websites,” said security researchers Feike Hacquebord and Fernando Merces.

“Part of the group’s post-exploitation activities includes changing folder permissions in the victim’s mailbox, leading to enhanced persistence,” the researchers said. “Using the victim’s email accounts, lateral movement is possible by sending additional malicious email messages from within the victim’s organization.”

It is currently unknown whether the threat actor himself has breached these routers, or if he is using routers that have already been compromised by an external actor. That said, it is estimated that no fewer than 100 EdgeOS routers are infected.

Additionally, recent credential harvesting campaigns against European governments have used fake login pages that mimic Microsoft Outlook and are hosted on webhook.[.]site URLs, a pattern previously attributed to the group.

However, an October 2022 phishing campaign singled out embassies and other high-profile entities to deliver a “simple” information thief via emails that intercepted files with specific extensions and sent them to a free file-sharing service called Keep. sh exfiltrated.

“The loudness of the repetitive, often crude and aggressive campaigns drowns out the silence, subtlety and complexity of the initial breach, as well as the post-exploitation actions that could occur once Pawn Storm gains an initial foothold in victim organizations,” the researchers said.

The development comes as Recorded Future News revealed an ongoing hacking campaign undertaken by Russian threat actor COLDRIVER (aka Calisto, Iron Frontier or Star Blizzard) that poses as researchers and academics to redirect potential victims to credentials collection pages.

#Russian #APT28 #hackers #target #highvalue #organizations #NTLM #relay #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post

Popular Remote Desktop software requires password reset

Next Post
DirtyMoe Malware

DirtyMoe Malware Infects Over 2,000 Ukrainian Computers for DDoS and Cryptojacking

Related Posts