The Russian APT28 hacking group (aka 'Strontium' aliases 'Fancy Bear') has been targeting authorities entities, businesses, universities, investigation institutes, and deliberation tanks successful France since nan 2nd half of 2021.
The threat group, which is considered portion of Russia's subject intelligence work GRU, was precocious linked to nan exploitation of CVE-2023-38831, a distant codification execution vulnerability successful WinRAR, and CVE-2023-23397, a zero-day privilege elevation flaw successful Microsoft Outlook.
The Russian hackers person been compromising peripheral devices connected captious networks of French organizations and moving distant from utilizing backdoors to evade detection.
This is according to a recently published study from ANSSI (Agence Nationale de la sécurité des systèmes d'information), nan French National Agency for nan Security of Information Systems, that conducted investigations connected nan activities of nan cyber-espionage group.
Network reconnaissance and first access
ANSSI has mapped nan TTPs (techniques, tactics, and procedures) of APT28, reporting that nan threat group uses brute-forcing and leaked databases containing credentials to breach accounts and Ubiquiti routers connected targeted networks.
In 1 lawsuit from April 2023, nan attackers ran a phishing run that tricked nan recipients into moving PowerShell that exposed their strategy configuration, moving processes, and different OS details.
Between March 2022 and June 2023, APT28 sent emails to Outlook users that exploited nan past zero-day vulnerability now tracked arsenic CVE-2023-23397, placing nan first exploitation a period earlier than what was precocious reported.
During this period, nan attackers besides exploited CVE-2022-30190 (aka "Follina") successful nan Microsoft Windows Support Diagnostic Tool and CVE-2020-12641, CVE-2020-35730, CVE-2021-44026 successful nan Roundcube application.
The devices utilized successful nan first stages of nan attacks see nan Mimikatz password extractor and nan reGeorg postulation relaying tool, arsenic good arsenic nan Mockbin and Mocky open-source services.
ANSSI besides reports that APT28 uses a scope of VPN clients, including SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure.
Data entree and exfiltration
As a cyber-espionage group, information entree and exfiltration are astatine nan halfway of Strontium's operational goals.
ANSSI has observed nan threat actors retrieving authentication accusation utilizing autochthonal utilities and stealing emails containing delicate accusation and correspondence.
Specifically, nan attackers utilization CVE-2023-23397 to trigger an SMB relationship from nan targeted accounts to a work nether their control, allowing nan retrieval of nan NetNTLMv2 authentication hash, which tin beryllium utilized connected different services, too.
APT28's bid and power server (C2) infrastructure relies connected morganatic unreality services, specified arsenic Microsoft OneDrive and Google Drive, to make nan speech little apt to raise immoderate alarms by postulation monitoring tools.
Finally, ANSSI has seen grounds that nan attackers cod information utilizing nan CredoMap implant, which targets accusation stored successful nan victim's web browser, specified arsenic authentication cookies.
Mockbin and nan Pipedream work are besides progressive successful nan information exfiltration process.
ANSSI emphasizes a broad attack to security, which entails assessing risks. In nan lawsuit of nan APT28 threat, focusing connected email information is crucial.
The agency's cardinal recommendations astir email information include:
- Ensure nan information and confidentiality of email exchanges.
- Use unafraid speech platforms to forestall email diversions aliases hijacks.
- Minimize nan onslaught aboveground of webmail interfaces and trim risks from servers for illustration Microsoft Exchange.
- Implement capabilities to observe malicious emails.
For much specifications connected ANSSI's findings and defense tips, cheque retired nan full study here.