One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8419228 |
| Date de publication | 2023-12-05 05:00:40 (vue: 2023-12-05 10:07:40) |
| Titre | TA422 \\ Soule d'exploitation dédiée - la même semaine après semaine TA422\\'s Dedicated Exploitation Loop-the Same Week After Week |
| Texte | Key takeaways Since March 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, in which the threat actor leveraged patched vulnerabilities to send, at times, high-volume campaigns to targets in Europe and North America. TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity. The vulnerabilities included CVE-2023-23397-a Microsoft Outlook elevation of privilege flaw that allows a threat actor to exploit TNEF files and initiate NTLM negotiation, obtaining a hash of a target\'s NTLM password-and CVE-2023-38831-a WinRAR remote code execution flaw that allows execution of “arbitrary code when a user attempts to view a benign file within a ZIP archive,” according to the NIST disclosure. Overview Starting in March 2023, Proofpoint researchers have observed the Russian advanced persistent threat (APT) TA422 readily use patched vulnerabilities to target a variety of organizations in Europe and North America. TA422 overlaps with the aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, and is attributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate (GRU). While TA422 conducted traditional targeted activity during this period, leveraging Mockbin and InfinityFree for URL redirection, Proofpoint observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397-a Microsoft Outlook elevation of privilege vulnerability. This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction, and consulting entities. Proofpoint researchers also identified TA422 campaigns leveraging a WinRAR remote execution vulnerability, CVE-2023-38831. Bar chart showing the breakdown of TA422 phishing activity from March 2023 to November 2023. Please attend: CVE-2023-23397-test meeting In late March 2023, TA422 started to launch high volume campaigns exploiting CVE-2023-23397 targeting higher education, government, manufacturing, and aerospace technology entities in Europe and North America. TA422 previously used an exploit for CVE-2023-23397 to target Ukrainian entities as early as April 2022, according to open-source reporting by CERT-EU. In the Proofpoint-identified campaigns, our researchers initially observed small numbers of emails attempting to exploit this vulnerability. The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume. This campaign was very large compared to typical state-aligned espionage campaign activity Proofpoint tracks. Proofpoint observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. It is unclear if this was operator error or an informed effort to collect target credentials. TA422 re-targeted many of the higher education and manufacturing users previously targeted in March 2023. It is unclear why TA422 re-targeted these entities with the same exploit. Based upon the available campaign data, Proofpoint suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access. Like the high-volume TA422 campaign Proofpoint researchers identified in March 2023, the late summer 2023 messages contained an appointment attachment, using the Transport Neutral Encapsulation Format (TNEF) file. The TNEF file used a fake file extension to masquerade as a CSV, Excel file, or Word document, and contained an UNC path directing traffic to an SMB listener being hosted on a likely compromised Ubiquiti router. TA422 has previously used compromised routers to host the gr |
| Envoyé | Oui |
| Condensat | 000 136 147th 150:8080/ 173 196 1f4792dadaf346969c5e4870a01629594b6c371de21f8635c95aa6aba24ef24c 2022 2023 2044680 2044681 2044682 2044683 2044684 2044685 2044686 2044687 2049286 2049287 2049288 23397 32231 32231 339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5 38831 401 5021042 5b7ac39ee65f840b2c61fcab67c8b8190dc7822a11b2aae4d6ef7d542d107be4 6223cc22a0b2cade34a1964dfee16bfe373b578370b4ee4d286c5708ea0cc06d 6dfbea81bd299e35283ea9d183df415d63788fa7dfb7292f935c804f6396c8b2 742ba041a0870c07e094a97d1c7fd78b7d2fdf0fcdaa709db04e2637a4364185 77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799 8cc664ff412fc80485d0af61fb0617f818d37776e5a06b799f74fe0179b31768 8dba6356fdb0e89db9b4dad10fdf3ba37e92ae42d55e7bb8f76b3d10cd7a780c 9a798e0b14004e01c5f336aeb471816c11a62af851b1a0f36284078b8cf09847 abandoned abused abusing access according accounts act activity actor addition additionally addresses advanced adversary aerospace affecting after against agenda agent aliases aligned all alleged allowed allows also always america another api appended appointment april apt apt28 arabs archive are assembly assess assigned as kb5021042 attachment attachments attempt attempted attempting attempts attend: attention attributed attributes authentication authorization available background backgrounder bar bars base64 based batch beacon beaconed beacons bear been being benign between bf5d03aa427a87e6d4fff4c8980ad5d5e59ab91dc51d87a25dd91df7de33beaa binary blizzard bluedelta body breakdown breeze: brics broad browsed browser bulletin but c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b c89735e787dd223dac559a95cac9e2c0b6ca75dc15da62199c98617b5af007d3 cab calculator campaign campaigns can cannot caught ccc ced cert certificates chain chart check checked checks clean cleans click clicked cluster clusters cmd code colleagues collect command commands committee communications community compared compromise compromised com conclusion conducted confidence confirmed connection consideration construction consulting contained continue continued convince create created credential credentials csv cue cve daily data dedicated deepening defense definitively delivered delivery desktop destination developer developers deviation device did different direct directed directing directorate disclose disclosed disclosure discover disk displayed displaying distinct divide dll doc document documents docx domains download downloaddoc downloaded downloadfile downloadingf drive drop dropped due during e699a7971a38fe723c690f37ba81187eb8ed78e51846aa86aa89524c325358b4 e920461b94c0eea498264b092bde3db9835072ff46e4676e53817cbf7d275bd4 early ec64b05307ad52f44fc0bfed6e1ae9a2dc2d093a42a8347f069f3955ce5aaa89 ed56740c66609d2bbd39dc60cf29ee47743344a9a6861bee7c08ccfb27376506 education effort either elevation email emails embedded emergency encapsulation encoded encourage engagement entice entities error espionage europa europe european even eventually example excel exchange exchanged exe execdwn execute executed execution expected exploit exploitation exploitation exploiting exposure extension extensive extensively fake fancy favor file filedwn files file filtering final finance fingerprinting firewall first flaw flaws folder follow forest format fortigate fortios found friend from functions gain general geolocation geopolitical government group gru has hash hashes hash have header headers hello high higher homepage hope host hosted hosting hostname hostname html http human hxxp://89 id= identical identified ignore inbound included including indicator indicators indicator infinityfree infinityfreeapp information informed ini initial initially initiate initiated installer instance instances intelligence interaction investigate iocs ipu israeli item its key known landing large late launch launched legitimate level leverage leveraged leveraging like likely line link listener listeners literal lnk loaded located login loop lower lure lures m3 m4 machine main malicious malware manufactu |
| Tags | Malware Vulnerability Threat |
| Stories | APT 28 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.