A risk group related to the Russian army intelligence service was behind a number of mass assault campaigns that exploited recognized flaws in Outlook and WinRAR to gather Home windows NTLM credential hashes from organizations in Europe and North America. The excessive quantity of emails is uncommon for cyberespionage teams, that are sometimes extremely focused of their sufferer choice.
“Proofpoint noticed a major deviation from anticipated volumes of emails despatched in campaigns exploiting CVE-2023-23397 — a Microsoft Outlook elevation of privilege vulnerability,” researchers from security agency Proofpoint mentioned in a report. “This included over 10,000 emails despatched from the adversary, from a single electronic mail supplier, to protection, aerospace, expertise, authorities, and manufacturing entities, and, often, included smaller volumes at greater training, building, and consulting entities.”
The CVE-2023-23397 vulnerability was patched by Microsoft in March after APT28, also referred to as Fancy Bear, exploited it for nearly a 12 months as a zero-day exploit in assaults in opposition to organizations from the federal government, army and vitality sectors. The assaults managed to fly below the radar due to their extremely focused nature.
The vulnerability is described as an elevation of privilege flaw however will be exploited with out person interplay to trick the Microsoft Outlook desktop shopper to provoke an SMB connection to a distant attacker-controlled server. Since SMB is a file-sharing protocol for Home windows networks, the callbacks embody an NTLM authentication try the place the person’s hashed NTLM credentials are being despatched to the attacker’s server.
The theft of NTLM hashes allows a sort of assault referred to as NTLM relay or pass-the-hash, the place an attacker methods a pc to ship its hash after which passes it to a different legit service that may settle for that authentication.
In line with Proofpoint, after Microsoft patched the vulnerability in March, APT28 continued to make use of it in assaults and even ramped up the size of its campaigns. The malicious emails had a topic of “Check assembly” and contained a specifically crafted file within the Transport Impartial Encapsulation Format (TNEF) with a pretend CSV, Excel, or Phrase doc extension.
