Skip links

Fancy Bear goes phishing in US, European high-value networks

Fancy Bear, the Kremlin’s cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets – like government, defense, and aerospace agencies in the US and Europe – since March, according to Microsoft. 

The US and UK governments have linked this state-sponsored gang to Russia’s military intelligence agency, the GRU. Its latest phishing expeditions look to exploit CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and  CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.

Microsoft initially patched the Outlook bug in March. It warned at the time that the flaw had already been exploited in the wild by miscreants in Russia against government, energy, and military sectors in Europe – with a specific focus on Ukraine, according to the EU’s CERT org. Two months later, Redmond issued an additional fix.

On Monday, Microsoft updated its March guidance for organizations investigating attacks exploiting this Exchange hole, and reported that Fancy Bear has been “actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers.”

Microsoft tracks Fancy Bear as Forest Blizzard, and it used to call the GRU-backed group Strontium. Other threat hunters call it APT28 and TA422.

Some of the compromised Outlook accounts belong to Polish public and private orgs, according to the Polish Cyber Command (DKWOC), which partnered with Microsoft to investigate the attacks.

“In cases identified by Cyber Command, folders permissions were modified, among others, in mailboxes that were high-value information targets for the adversary,” the Polish agency stated in its advisory.

“As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol,” the alert continued.

“It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it.”

In separate analysis published on Tuesday, security biz Proofpoint advised it spotted a “significant deviation from expected volumes of emails sent in campaigns exploiting” the Outlook vulnerability. 

Specifically, more than 10,000 emails that Proofpoint has attributed to Fancy Bear were sent during the late summer. All came from a single email provider, to defense, aerospace, technology, government, and manufacturing firms across North America and Europe.

“Their actions indicate that they seek to discover easily exploitable networks that have strategic interest to the adversary,” Greg Lesnewich, senior threat researcher at Proofpoint, told The Register. “However, it’s unclear if the quantity of emails – more than 10,000 total since August 2023 – has been a tactical decision or an operator error.”

The security shop also noted occasional, smaller-volume phishing campaigns targeting higher education, construction, and consulting businesses.

CVE-2023-23397 can be exploited by a remote, unauthenticated attacker to access a victim’s Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker, thus gaining access to email communications. 

“For all the late summer 2023 campaigns, TA422 sent malicious emails from various Portugalmail addresses with the subject line ‘Test Meeting’ and identical message body of ‘Test meeting, please ignore this message,'” the intel team explained.

These phishing emails contained an appointment attachment, using a TNEF file disguised as a CSV, Excel file, or Word document. The malicious extension contained a UNC path that directed traffic to an SMB listener hosted on a likely compromised Ubiquiti router, according to Proofpoint.

In the past, Fancy Bear has used compromised routers to host its command-and-control nodes, or NTLM listeners [PDF]. “The compromised routers act as listeners for the NTLM authentication where they can record inbound credential hashes without extensive engagement with the target network,” the researchers explained.

Don’t forget WinRAR

Plus, using a different set of Portugalmail email addresses the Russian spies also sent phishes exploiting a WinRAR vulnerability, CVE-2023-32231, according to Proofpoint. This vulnerability, which allows miscreants to execute malware hidden inside legitimate files, was fixed in August – but, it appears, not patched by enough people. 

For this campaign, the Russians spoofed geopolitical organizations and used the BRICS Summit and a European Parliament meeting as subject lures. 

This campaign is not the same one that other security orgs including Google TAG have previously highlighted as abusing WinRAR, we’re told. 

Proofpoint explained that the September phishing campaign uses RAR file attachments that exploit CVE-2023-32231 to drop a .cmd file and establish communications with a Responder listener server. “The .cmd file attempted to modify proxy settings in registry, download a lure document, and beacon to an IP-literal Responder server,” according to the report.

Unsuprisingly, the security shop expects the criminals to continue exploiting both bugs in unpatched systems.

Lesnewich told us “The payloads, tactics, and techniques used in these campaigns reflect TA422’s ultimate shift away from compiled malware for persistent access on targeted networks to lighter-weight, credential-oriented access.” ®