Russian State-Backed Hacker Group APT28 Executes Global NTLM v2 Hash Relay Attacks on High-Profile Targets
CERT-UA Issues Warning as Malware DirtyMoe Infects Over 2,000 Computers in Ukraine; Ongoing Phishing Campaign Targets Military Personnel
Captiva AI - A Special Part of our Jobs Initiative
I hope you are having a great day. As the job market tightens we feel that interview preparation for any job is crucial to landing a job these days. This is why we have partnered with Captiva AI, an artificial intelligence powered job preparation platform for technology, marketing, consulting, sales, finance, and accounting roles. The app is free for download my scanning the QR code above or following this link.
Aggressive APT28 Exploits NTLM Vulnerabilities, Targets Organizations Across Sectors Worldwide
From April 2022 to November 2023, Russian state-sponsored actors, identified as the notorious hacking crew APT28, executed NT LAN Manager (NTLM) v2 hash relay attacks on high-value targets globally. The group, also known as Blue Athena, Fancy Bear, and others, focused on organizations involved in foreign affairs, energy, defense, transportation, labor, social welfare, finance, parenthood, and local city councils.
Cybersecurity firm Trend Micro characterized these intrusions as a cost-efficient method automating brute-force attempts to infiltrate networks. APT28, operated by Russia's GRU military intelligence service since at least 2009, has a history of spear-phishing and strategic web compromises.
In April 2023, the group was implicated in attacks exploiting patched flaws in Cisco networking equipment, and later in the year, it gained attention for exploiting privilege escalation flaws in Microsoft Outlook and WinRAR. This allowed APT28 to access user Net-NTLMv2 hashes and stage NTLM Relay attacks, compromising email accounts.
The threat actor continued evolving its tactics, incorporating anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers. These routers, potentially breached or compromised by a third party, were used for scanning, probing, and sending spear-phishing emails. Post-exploitation activities involved modifying folder permissions in victims' mailboxes, enabling lateral movement within organizations.
Notably, APT28 targeted Ukrainian entities using CVE-2023-23397 exploits, leveraging lures related to the Israel-Hamas conflict, and employing custom backdoors like HeadLace. Recent campaigns against European governments involved bogus Microsoft Outlook login pages on webhook[.]site URLs. At least 100 EdgeOS routers were estimated to be infected.
The article concludes with insights into the group's sophisticated post-exploitation actions, emphasizing the complexity of initial intrusions drowned out by loud and aggressive campaigns. Simultaneously, another Russian threat actor, COLDRIVER, was revealed to impersonate researchers and academics in an ongoing hacking campaign, redirecting victims to credential harvesting pages.
UAC-0027 Identified as Threat Actor Behind DirtyMoe Malware, While Phishing Campaign STEADY#URSA Linked to Russian Threat Actor Shuckworm
The Computer Emergency Response Team of Ukraine (CERT-UA) has raised an alarm, reporting that more than 2,000 computers in Ukraine have fallen victim to the DirtyMoe malware, with the campaign attributed to the threat actor UAC-0027. DirtyMoe, operational since 2016, possesses the capabilities of cryptojacking and launching distributed denial-of-service (DDoS) attacks. Earlier this year, cybersecurity firm Avast highlighted the malware's worm-like propagation through known security flaws.
Delivery of the DDoS botnet is facilitated by the Purple Fox malware or via fraudulent MSI installer packages for popular software like Telegram. Purple Fox, equipped with a rootkit for stealth, complicates detection and removal. The initial access vector in the Ukrainian campaign remains unknown. CERT-UA recommends organizations keep systems updated, enforce network segmentation, and monitor network traffic for anomalies.
Simultaneously, security firm Securonix revealed an ongoing phishing campaign, STEADY#URSA, targeting Ukrainian military personnel. The campaign aims to deploy a custom PowerShell backdoor named SUBTLE-PAWS. The attack involves executing a malicious shortcut file, initiating a PowerShell payload. The threat actor behind this campaign is identified as Shuckworm, also known as Aqua Blizzard, Gamaredon, and others, associated with Russia's Federal Security Service (FSB) since at least 2013.
SUBTLE-PAWS, beyond establishing persistence, employs Telegram's platform Telegraph for command-and-control (C2) communication, a tactic noted since early 2023. The malware can spread through removable drives, using advanced techniques to execute dynamic payloads stored in the Windows Registry. This method enhances evasion of traditional file-based detection, allowing the malware to initiate itself post-reboots or interruptions. The disclosure follows previous reports of Gamaredon's USB-based worm named LitterDrifter, further underscoring the evolving and persistent nature of cyber threats targeting Ukraine.
Want to get a remote job at Amazon?
Start reading HackerPulse Dispatch & level up your skills as an engineer.
🔹 Useful Tools & Libs
🔹 Best AI paper digests
🔹 No-nonsense career boosters
Roku - Product Manager, Advertising - Santa Monica, California · On-site
Coinbase - Site Reliability Engineer - Client Platform - Fully Remote
Airbnb - Senior Frontend Engineer, Guest Displays & Platforms - On-site
Intel - Software Engineering Intern - Santa Clara, CA · On-site
Western Digital - Summer 2024 Intern, Python Development - San Jose, CA
Neuralink - Software Engineer Intern, Implant Team - Fremont, California, United States · On-site
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support our work.