Russia’s Fancy Bear launches mass credential collection campaigns

A threat group associated with the Russian military intelligence service was behind several mass attack campaigns that exploited known flaws in Outlook and WinRAR to collect Windows NTLM credential hashes from organizations in Europe and North America. The high volume of emails is unusual for cyberespionage groups, which are typically highly targeted in their victim selection.

“Proofpoint observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397 — a Microsoft Outlook elevation of privilege vulnerability,” researchers from security firm Proofpoint said in a report. “This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction, and consulting entities.”

From zero-day exploit to reliable tool

The CVE-2023-23397 vulnerability was patched by Microsoft in March after APT28, also known as Fancy Bear, exploited it for almost a year as a zero-day exploit in attacks against organizations from the government, military and energy sectors. The attacks managed to fly under the radar because of their highly targeted nature.

The vulnerability is described as an elevation of privilege flaw but can be exploited without user interaction to trick the Microsoft Outlook desktop client to initiate an SMB​​ connection to a remote attacker-controlled server. Since SMB is a file-sharing protocol for  Windows networks, the callbacks include an NTLM authentication attempt where the user’s hashed NTLM credentials are being sent to the attacker’s server.

The theft of NTLM hashes enables a type of attack called NTLM relay or pass-the-hash, where an attacker tricks a computer to send its hash and then passes it to another legitimate service that would accept that authentication.

According to Proofpoint, after Microsoft patched the vulnerability in March, APT28 continued to use it in attacks and even ramped up the scale of its campaigns. The malicious emails had a subject of “Test meeting” and contained a specially crafted file in the Transport Neutral Encapsulation Format (TNEF) with a fake CSV, Excel, or Word document extension.

The exploitation of CVE-2023-23397 happens automatically when the Outlook client processes the message and doesn’t require users to open the attachment. The hackers set up their remote SMB listener on a compromised Ubiquity router, a tactic that APT28 has used in the past.

“​​Proofpoint observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023,” the researchers said in their report. “It is unclear if this was operator error or an informed effort to collect target credentials. TA422 re-targeted many of the higher education and manufacturing users previously targeted in March 2023. It is unclear why TA422 re-targeted these entities with the same exploit. Based upon the available campaign data, Proofpoint suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access.”

The CVE-2023-23397 exploitation attempts from APT28 increased in volume over time and peaked in October, but starting in September the group added a second exploit into the mix, for a vulnerability in the popular WinRAR archive manager — CVE-2023-38831.

WinRAR flaw a different exploit with the same goal

Unlike the Outlook vulnerability, the WinRAR flaw is a remote code execution one and requires users to open maliciously crafted ZIP attachments with WinRAR. However, the exploit was used to drop a .cmd file on the system which included Windows batch scripting that initiated an HTTP connection to a remote listener set up by the attackers.

“When the .cmd file initiated an HTTP connection with the Responder server, the server responded with a 401 code, including a WWW-Authentication header requesting NTLM methods for authentication,” the researchers said. “In turn, the victim device included sensitive NTLM information in the subsequent request, stored in the Authorization header. As NTLM credentials are exchanged, the victim device sent information including host and usernames in base64 encoded Authorization headers.”

In other words, while the WinRAR vulnerability led to remote code execution, the attackers used it with the similar purpose of extracting NTLM credentials and information about the victim systems.

In the campaigns that used the WinRAR exploit the attackers spoofed geopolitical entities and used the BRICS Summit and a European Parliament meeting as subject lures. The listener server was set up on a compromised Fortigate FortiOS Firewall.

The researchers found batch files similar to the ones dropped by the WinRAR exploit campaign on VirusTotal that instead of opening an HTTP connection, set up a local RSA key and attempted to open SSH connections to a remote server. It’s likely that these batch files were used as part of a different APT28 campaign since they used a similar beacon domain and the SSH listener was set up on a compromised Ubiquiti router.

The researchers were also able to discover APT28 email campaigns between September and November that used the legitimate Mockbin service for redirection. Mockbin is a third-party service that allows developers to stage (or mock) code for testing purposes and has been abused by APT28 before. The Mockbin campaigns targeted users in the government and defense sectors and directed victims to download ZIP archives with malicious .cmd files inside.