A threat group with relations with Russian military service has carried out several massive attack campaigns, exploiting the flaws known in Outlook and Winner, by researchers in the cyber security firm proofpoint. Since March 2023, APT28- Aka fancy bear-co-co-co-co-co-colon activity has been detected in which the danger actor has sent weaknesses to send high-grin campaigns for targets in Europe and North America, researchers have sent weaknesses for goals, researchers Is written. The actor used weaknesses as an early access to the government, aerospace, education, finance, manufacturing and technology sector, either to disclose user credentials or to start follow-on activity, he said.
The weaknesses they have exploited are CVE-2023-23397- A Microsoft Outlook height of privilege defects which take advantage of TNEF files to a danger actor and NT LAN Manager (NTLM) talks-and CVE-2023-38831- A winner allows the remote code to execute. When a user tries to see a benign file within a zip collection, allows the execution of arbitrary codes.
Microsoft Outlook Danger Group to exploit vulnerability
Proofpoint saw a “important deviation” from the expected versions of the email sent to the exploitation of CVE-2023-23397. He wrote, “This included more than 10,000 emails sent from an email provider to defense, aerospace, technology, government and manufacturing institutions, and sometimes, and sometimes, small segments in higher education, construction and counseling institutions included small segments. ,” they wrote.
In the proofpoint campaign, researchers initially watched a small number of emails while trying to take advantage of this vulnerability. “The first increase in activity pointed to the same listener server, partially attracted our attention due to all emails, but mostly due to volume.” The team said the campaign was much larger than the specific state-based detective activity. “Proofpoint observed more than 10,000 repeated efforts to take advantage of Microsoft Outlook vulnerability, targeting dainik accounts during late summer 2023 late summer. It is not clear whether it was an operator error or to collect target credit There was an informed effort for. ” The TA422 renewed several higher education and manufacturing users, which was earlier targeted in March 2023. “Based on the available campaign data, the proofpoint suspects that these institutions are priority targets and as a result, the actor with danger tried extensive, low effort campaigns to make regular efforts. And get access,” the researchers said .
Winner vulnerability exploited credentials and information to extract information
In September 2023, TA422, according to researchers, sent malicious emails from different Portugalmel addresses, exploiting Winner Vulnerance (CVE-2023-32231) in two separate campaigns. “Email sectors spoiled geopolitical institutions and used the BRICS summit and a European Parliament meeting, which is the subject to woo goals to open emails.” Researchers indicated that the danger actors used the winner vulnerability to initiate distant code execution with the aim of extracting information about NTLM credentials and aggrieved systems.
The messages included the RAR file attachment who availed the CVE-2023-32231 to release a .cMD file. It acts similar to a batch file to start communication with a respondent listener server. The file attempted to revise the proxy settings in the registry, downloaded a lur document and began to be beaten on an IP-liter responder server. Researchers said, “It was different from the already reported TA422 activity,” the researchers said.
When the file launched the HTTP connection with the responder server, the server responded with 401 code, including the www-authentication header that requests NTLM methods for authentication. “In turn, the victim device included the subsequent requests sensitive NTLM information, which was stored in the authority header. As the NTLM credentials are exchanged, the aggrieved device sent information including the host and user names to the Base64 encoded authority header. ,
Researchers were unable to explain why TA422 continued to use the weaknesses manifested and patching in its fishing operations. However, as the group has trusted extensively on exploiting these flaws to achieve the initial access, it is likely that it will continue to take advantage of them in the hope that the targets have not yet been patches for these weaknesses. Are they said.
