Russian-Backed Hackers Target High-Value US, European Entities

Hackers linked to Russia’s military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North America and Europe.

The advanced persistent threat (APT) group Fancy Bear has used phishing schemes in attacks before, but the number of emails it sent between August and November exploiting a flaw in Microsoft Outlook was a significant escalation, according to researchers with cybersecurity firm Proofpoint.

In a report this week, the researchers said Fancy Bear – also known as APT28, TA422, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta – sent more than 10,000 phishing emails from a single email provider in late summer and into the fall to targets in the defense, aerospace, technology, government, and manufacturing industries. The threat actors also sent smaller volumes of emails to entities in the higher education, construction, and consulting sectors.

Proofpoint in March detected ismall numbers of phishing emails being sent that exploited the Outlook flaw – tracked as CVE-2023-23397 – which allows an elevation of privileges.

“The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume,” Proofpoint threat intelligence researchers Greg Lesnewich and Crista Giering wrote. “This campaign was very large compared to typical state-aligned espionage campaign activity Proofpoint tracks. … It is unclear if this was operator error or an informed effort to collect target credentials.”

Taking Second Shots at Victims

They noted that Fancy Bear – which is linked to Russia’s GRU agency – during the late-summer surge hit targets in higher education and manufacturing that they had previously targeted in March.

“It is unclear why TA422 re-targeted these entities with the same exploit,” they wrote. “Based upon the available campaign data, Proofpoint suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access.”

Fancy Bear began exploiting the CVE-2023-23397 flaw last year, using the zero-day exploit to gain initial access into targeted systems. The threat group was detected using it in April 2022 to target organizations in Ukraine and later expanded its use into Europe.

Microsoft patched the vulnerability in March, but the hackers continued to use it against unpatched systems. It began abusing it for the current phishing campaigns in March, increasingly ramping up its use in August, September, and October. The exploit of the flaw dropped sharply last month.

Over the last three months, the threat group also exploited another patched vulnerability – CVE-2023-38831 – a Microsoft WinRAR remote code execution (RCE) flaw that lets attackers run arbitrary code if users try to open up a file within a ZIP archive.

No User Interaction Needed

According to Proofpoint, the Outlook flaw can be exploited without user interaction. A tailored email is sent to a compromised system that directs traffic to an SMB listener hosted on a compromised Ubiquiti router, a tactic the group has used in the past. SMB is a network file-sharing protocol.

The router is used to detect NTLM authentication and record credential hashes. NTLM is a suite of security protocols from Microsoft used to authenticate user’s identity. Fancy Bear can then use the stolen NTLM hashes to access email communications.

Microsoft updated its March advisory this month to say that Fancy Bear – which the company calls Forest Blizzard – is continuing to exploit CVE-2023-23397 to get access into email accounts on Exchange servers and to urge users to ensure Outlook is patched.

The Polish Cyber Command, which investigated the attacks with Microsoft, wrote in its own advisory that public and private entities in the country were among Fancy Bear’s victims, with folders permissions being modified in “mailboxes that were high-value information targets for the adversary.”

WinRAR Also Plays a Part

With the WinRAR flaw, Fancy Bear sent malicious emails through Portugalmail, an email service in that country, in two campaigns. The emails spoofed geopolitical entities and used the BRICS (Brazil, Russia, India, China, and South Africa) Summit in South Africa and a meeting of the European Parliament as lures to entice users to open the messages.

As with the other campaign, the goal was to grab NTLM hashes. This was done by including RAR file attachments that exploited the CVE-2023-32231 flaw to drop a .cmd file to start communications to a Responder listener server.

“The .cmd file attempted to modify proxy settings in registry, download a lure document, and beacon to an IP-literal Responder server,” Proofpoint’s Lesnewich and Giering wrote.

The server responded with a request for NTLM methods for authentication and the compromised device would send sensitive NTLM information stored in the Authorization header.

“As NTLM credentials are exchanged, the victim device sent information including host and usernames in base64 encoded Authorization headers,” the wrote. “It is likely the Responder server was a compromised Fortigate FortiOS Firewall based on HTTP response headers and SSL certificates assigned to the server. While the NTLM credential exchange occurred in the background, a second tab was opened by the .cmd that browsed to a legitimate Europa PDF file and displayed it to convince the user that the activity was legitimate.”

Proofpoint also found Fancy Bear phishing campaigns over the past three months using Mockbin, a legitimate tool used by developers to mock code for testing purposes and targeting organizations in the government and defense sectors with emails enticing users to download ZIP archives that housed malicious .cmd files. The threat group has used Mockbin before in previous attacks.

The hackers moved from Mockbin last month to InfinityFree URLs that led to similar attacks.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 271 posts and counting.See all posts by jeffrey-burt