Russian GRU Hackers Exploit Critical Patched VulnerabilitiesTA422 Is Targeting Organizations in Europe and North America, Proofpoint Says
In the race between hackers and systems administrators that begins each time a company patches a zero day flaw, a Russian military intelligence hacking unit is often the winner, new research discloses.
Multiple studies suggest that organizations require weeks, if not months, to roll out patches while hackers can rush out an exploit of a newly-disclosed vulnerability in days or weeks.
One organization taking advantage of that disconnect is what Proofpoint dubs TA422 - also known as APT28, Fancy Bear and Forest Blizzard. The security firm in a Tuesday report said it has seen the threat actor "readily use patched vulnerabilities to target a variety of organizations in Europe and North America." U.S. and British intelligence assess that Forest Blizzard is "almost certainly" part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.
Among the n-days exploited by TA422 is CVE-2023-23397, a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user's hashed Windows account password, allowing the attacker to authenticate into other systems. Microsoft and Polish cyber defenders on Monday said they observed the same GRU hacking unit exploit it to gain entry to sensitive inboxes (see: Russian GRU Hackers Target Polish Outlook Inboxes).
TA422 previously used an exploit for CVE-2023-23397 to target Ukrainian entities as early as April 2022, according to open-source reporting by CERT-EU.
Greg Lesnewich, threat researcher at Proofpoint, said that Russian hackers launched high-volume email campaigns this year to exploit the Outlook flaw. Targeted organizations included government, manufacturing and aerospace technology entities in Europe and North America.
"It's unclear if the quantity of emails - more than 10,000 total since August 2023 - has been a tactical decision or an operator error. Regardless, the payloads, tactics and techniques used in these campaigns reflect TA422's ultimate shift away from compiled malware for persistent access on targeted networks to lighter-weight, credential-oriented access," Lesnewich said.
The high-volume campaign used an attachment saved as a Microsoft proprietary email attachment format known as Transport Neutral Encapsulation Format masquerading as a spreadsheet or word processing file. The file contained a UNC path directing traffic to an SMB listener hosted on a compromised router - a technique that TA422 has used before, Proofpoint said.
"When vulnerable instances of Outlook processed the appointment attachment, Outlook initiated an NTLM negotiation request to the file located at the UNC path; this allowed for the disclosure of NTLM credentials from the targets without their interaction."
Proofpoint researchers also identified TA422 using a WinRAR remote execution vulnerability tracked as CVE-2023-38831. The flaw allows attackers to force Windows into executing malware by disguising it as a folder with the same name as a benign file. Multiple nation-state hackers, including Russian and Chinese threat actors, have exploited the flaw. Ukrainian cyber defenders in mid-November accused the Russian military intelligence hacking group known as APT 29 or Cozy Bear of using it to attack foreign embassies (see: Russian Cozy Bear Strikes European Embassies With WinRAR Bug).
TA422 also has sent phishing emails with links to Mockbin, a platform that allows developers to test code performance online. A clicked link to attackers' Mockbin instances results in the user downloading a malicious zip file. Proofpoint said the Russian hacking group in November abandoned the use of Mockbin for initial URL redirection in favor of using direct delivery of malware from developer hosting site InfinityFree.