summarize
GeorgiaAPT28hackerThe team has been conducting cyberattacks against high-value targets across the globe since April 2022 through November 2023 via the NT LAN Manager (NTLM) v2 hash relay attack method.
attack target
APT28 targets organizations in the fields of foreign affairs, energy, defense and transportation, as well as institutions related to labor, social welfare, finance, childcare and local city councils.
Type of attack
- Trend Micro Security analyzed these attacks and concluded that APT28 has attempted to force its way into networks through automated means and may have compromised thousands of email accounts.
- APT28 is also used through multiple other aliases by thecyber securityknown to the community, including Blue Athena, BlueDelta, Fancy Bear and others.
- The hacking team has been active since 2009 and is run by the Russian GRU military intelligence service.
Attack Case Study
- In April 2023, APT28 exploited vulnerabilities in Cisco network equipment for reconnaissance and malware deployment.
- The team exploited an elevation of privilege vulnerability in Microsoft Outlook (CVE-2023-23397) and WinRAR code execution vulnerabilities (CVE-2023-38831) to perform NTLM relay attacks.
- APT28 has also used decoys related to the Israel-Hamas conflict to spread a backdoor program called HeadLace and target organizations in Ukraine and Polandphishing attack (computing).
Attack Characteristics
APT28 is constantly improving its attack techniques and arsenal, adapting its tactics to circumvent detection.
NTLM Relay Attack Technique
- APT28 uses VPNs, Tor, data center IP addresses and compromised EdgeOS routers as anonymization tools for scanning and reconnaissance.
- The organization sends phishing emails via Tor or VPN, exploiting known vulnerabilities and phishing sites to steal credentials.
Security recommendations
- with regards tocyber securityIt is critical for the community to understand APT28's diverse attack patterns and continuously improving strategies.
- Organizations need to be vigilant and take immediate precautions against any suspicious activity and ensure that all systems are patched in a timely manner.
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/russian-apt28-hacker-group-exploits-ntlm-vulnerabilities.html