Advanced persistent threat group APT28 (aka Sofacy, BlueDelta, Fancy Bear) is behind ongoing campaigns to steal sensitive government and corporate information. The threat group is reportedly abusing unpatched instances of a Microsoft Exchange flaw patched nine months ago, according to researchers.
Microsoft incident response researchers and Poland’s Cyber Command have blamed APT28 for attacks on Exchange servers in the U.S., Europe and the Middle East that exploited a critical elevation of privileged (EoP) vulnerability, tracked as CVE-2023-23397.
A patch for the vulnerability, which has a CVSS v3 score of 9.8, was released in March. Researchers warned at the time that the flaw could pose a significant threat to organizations if it was not mitigated.
Exploitation of the vulnerability involves threat actors sending a specially crafted message to a target’s Exchange account. The target does not need to interact with the message for malicious action to be triggered, enabling the attacker to steal credential hashes, and ultimately gain access to any “high value” mailbox on the server.
APT28 (tracked by Microsoft as Forest Blizzard) has been involved in espionage-focused activities since at least 2019 and has been linked to Russia by U.S. and UK intelligence agencies (PDF).
In a Dec. 4 update to a March advisory on CVE-2023-23397, Microsoft’s incident response team said they had partnered with the Polish Cyber Command (DKWOC) to mitigate techniques used by APT28 in the EoP attacks.
“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft’s researchers said.
The updated post listed several other vulnerabilities APT28 had been found to be exploiting, including a patched WinRAR vulnerability, CVE-2023-38831. Microsoft said the group had been leveraging CVE-2023-38831 since at least September to carry out spear-phishing attacks, mainly against Ukrainian government targets.
In a separate post, Polish Cyber Command said it had developed a set of tools that ran on the Exchange environment to identify and mitigate compromises by APT28 that were initiated either through exploitation of CVE-2023-23397 or through brute force attacks.
Once it breached a target’s account, the threat group modified folder permissions so their contents could be read.
“In cases identified by POL Cyber Command, folders’ permissions were modified, among others, in mailboxes that were high-value information targets for the adversary,” the post said.
“As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol.”
Microsoft said security teams should ensure Outlook was patched and kept up-to-date to mitigate the threat from APT28.
