Colored hacker code realistic composition with person creates codes for hacking and stealing information vector illustration
Earlier this year, Ukrainian cybersecurity researchers discovered that the APT28 group exploited a zero-day exploit in Microsoft Outlook and launched these NTLM relay attacks.
This vulnerability, designated CVE-2023-23397, is particularly concerning because it does not require user interaction to be exploited.
Researchers from publisher Palo Alto Networks’ Unit 42 have just published a detailed analysis of the group’s attack campaigns. Their research reveals the timing of the attacks and their targets.
The hacker group APT28 is linked to Russian military intelligence. It is given various names: Fighting Ursa, APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy or Sednit. In the past, this has also been attributed to fake news-related cyberattacks designed to disrupt the French and American presidential campaigns.
Target: NATO members.
According to Unit42 researchers, the first zero-day attack took place on March 18, 2022, three weeks after the invasion of Ukraine, via emails addressed to a Ukrainian ministry. The attacks resumed in late March and again in the summer of 2023 until the end of October this year, targeting at least 30 organizations in 14 NATO member countries that provided strategic information to the Russian government and its military. Critical sectors attacked included energy, transportation, telecommunications, IT and the military-industrial base.
Understanding the Outlook CVE-2023-23397 vulnerability
According to Unit 42, successful exploitation of this vulnerability in Microsoft Outlook results in a relay attack using Windows NT LAN Manager (NTLM), a challenge-based authentication protocol. Answer that is vulnerable to relay attacks. Kerberos has been the standard authentication protocol in Windows systems since Windows 2000. However, many Microsoft applications still use NTLM as a fallback protocol in cases where Kerberos is not accessible. Microsoft Outlook is one such application.
Learn more
For more information about the vulnerability, the update, and the proposed fixes, please visit the Unit 42 analysis page
Also read… Article of the week