Global NTLM relay attacks deployed by APT28

High-profile organizations around the world have been targeted with NTLM v2 hash relay attacks by Russian state-backed threat operation APT28, also known as Fancy Bear, BlueDelta, Pawn Storm, and Forest Blizzard, between April 2022 and November 2023, according to The Hacker News. APT28 has leveraged the critical Microsoft Outlook privilege escalation vulnerability, tracked as CVE-2023-23397, and high-severity WinRAR code execution flaw, tracked as CVE-2023-38831, to facilitate NTLM relay attacks aimed at compromising organizations' mailboxes, a report from Trend Micro researchers revealed. Several anonymization layers, including data center IP addresses, breached EdgeOS routers, and VPN servers, have also been utilized by the threat group, with the compromised routers being used for conducting callbacks for the Outlook bug. "The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations," said researchers.