Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts

Pierluigi Paganini December 05, 2023

Microsoft warns that the Russia-linked APT28 group is actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts.

Microsoft’s Threat Intelligence is warning of Russia-linked cyber-espionage group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

In March 2023, Microsoft published guidance for investigating attacks exploiting the patched Outlook vulnerability tracked as CVE-2023-23397. The vulnerability is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

In recent attacks spotted by Microsoft’s Threat Intelligence, the nation-state actors primarily targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East.

The researchers noticed that the attackers also commonly employed multiple known vulnerabilities, including CVE-2023-38831 in WinRAR or CVE-2021-40444 in Windows MSHTML.

The tech giant partnered with the Polish Cyber Command (DKWOC) to identify the malicious cluster activity and mitigate it.

“The Polish Cyber Command, as part of its activities in cyberspace, has observed the use of technique[1] that involved the modification of permissions to mailbox folders within Microsoft Exchange servers. It allows an attacker to provide covert, unauthorized access to email correspondence and was used after gaining access to email accounts through CVE-2023-23397 (Microsoft Outlook Vulnerability) or password-spraying.” reads trhe announcement published by DKWOC. “Activities using CVE-2023-23397 were first discovered by CERT-UA[2] and publicly described by Microsoft[3]. In the case of actions taken against entities in Poland, this was reported by CSIRT NASK[4]. As a result of the analyses carried out by POL Cyber Command, malicious actions against public and private entities in Poland were confirmed.”

Microsoft recommended organizations to patch their systems and kept them updated to mitigate this threat.

In October, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information) warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.

The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of low-risk equipment monitored and located at the edge of the target networks. The Government experts pointed out that in some cases the group did not deployed any backdoor in the compromised systems.

ANSSI observed at least three attack techniques employed by APT28 in the attacks against French organizations:

  • searching for zero-day vulnerabilities [T1212, T1587.004];
  • compromise of routers and personal email accounts [T1584.005, T1586.002];
  • the use of open source tools and online services [T1588.002, T1583.006]. ANSSI investigations confirm that APT28 exploited the Outlook 0-day vulnerability CVE-2023-23397. According to other partners, over this period, the MOA also exploited other vulnerabilities, such as that affecting Microsoft Windows Support Diagnostic Tool (MSDT, CVE-2022-30190, also called Follina) as well as
    than those targeting the Roundcube application (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)

you might also like

leave a comment