Fancy Bear group exploits Outlook and WinRAR flaws in mass credential collection campaigns

APT28 group – aka Fancy Bear – used vulnerabilities to target government, defense and technology entities

Add bookmark

Michael Hill
12/06/2023

A threat group with ties to the Russian military service has carried out several mass attack campaigns exploiting known flaws in Outlook and WinRAR, researchers from cyber security firm Proofpoint have revealed. Since March 2023, APT28 – aka Fancy Bear – has been detected engaging in phishing activity in which the threat actor leveraged patched vulnerabilities to send, at times, high-volume campaigns to targets in Europe and North America, the researchers wrote. The actor used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing and technology sector targets to either disclose user credentials or initiate follow-on activity, they added.

The vulnerabilities they exploited are CVE-2023-23397 – a Microsoft Outlook elevation of privilege flaw that allows a threat actor to exploit TNEF files and initiate NT LAN Manager (NTLM) negotiation – and CVE-2023-38831 – a WinRAR remote code execution flaw that allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.

Threat group deviating to exploit Microsoft Outlook vulnerability

Proofpoint observed a “significant deviation” from expected volumes of emails sent in campaigns exploiting CVE-2023-23397. “This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction and consulting entities,” they wrote.

In the Proofpoint-identified campaigns, researchers initially observed small numbers of emails attempting to exploit this vulnerability. “The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume.” This campaign was very large compared to typical state-aligned espionage activity, the team said. “Proofpoint observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. It is unclear if this was operator error or an informed effort to collect target credentials.” TA422 re-targeted many higher education and manufacturing users it previously targeted in March 2023. “Based upon the available campaign data, Proofpoint suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access,” the researchers stated.

WinRAR vulnerability exploited to extract credentials and information

In September 2023, TA422 sent malicious emails from different Portugalmail addresses exploiting the WinRAR vulnerability (CVE-2023-32231) in two distinct campaigns, according to the researchers. “The email senders spoofed geopolitical entities and used the BRICS Summit and a European Parliament meeting as subject lures to entice targets to open the emails.” The researchers indicated that the threat actors used the WinRAR vulnerability to initiate remote code execution with the purpose of extracting NTLM credentials and information about the victim systems.

The messages contained RAR file attachments that leveraged CVE-2023-32231 to drop a .cmd file. This functions similarly to a batch file to initiate communications to a Responder listener server. The file attempted to modify proxy settings in registry, download a lure document and beacon to an IP-literal Responder server. “This was distinct from previously reported TA422 activity abusing WinRAR,” researchers noted.

When the file initiated an HTTP connection with the Responder server, the server responded with a 401 code, including a WWW-Authentication header requesting NTLM methods for authentication. “In turn, the victim device included sensitive NTLM information in the subsequent request, stored in the Authorization header. As NTLM credentials are exchanged, the victim device sent information including host and usernames in base64 encoded Authorization headers.”

The researchers were unable to state why TA422 has continued to use disclosed and patched vulnerabilities in its phishing campaigns. However, as the group has relied extensively on exploiting these flaws to gain initial access it is likely it will continue to leverage them in the hope that targets have not yet patched for these vulnerabilities, they added.