Microsoft’s Threat Intelligence (MSIRT) comes up with a warning of Russia-linked cyber-espionage group APT28 (aka Fancybear) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.
Active since 2007, the APT28 group targeted governments, militaries, and security organizations worldwide. The group was also involved in the string of attacks that targeted 2016 presidential election. Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.
Earlier this year, Microsoft published guidance for investigating attacks exploiting the patched Outlook vulnerability tracked as CVE-2023-23397. The vulnerability is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.
In recent attacks spotted by Microsoft’s Threat Intelligence, the nation-state actors primarily targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East.
The researchers notw that the attackers also commonly employed multiple known vulnerabilities, including CVE-2023-38831 in WinRAR or CVE-2021-40444 in Windows MSHTML.
Google partnered with the Polish Cyber Command (DKWOC) to identify the malicious cluster activity and mitigate it.
As part of its activities in cyberspace, has observed the use of technique that involved the modification of permissions to mailbox folders within Microsoft Exchange servers. It allows an attacker to provide covert, unauthorized access to email correspondence and was used after gaining access to email accounts through CVE-2023-23397 or password-spraying activities.
Microsoft recommended organizations to patch their systems and kept them updated to mitigate this threat.
In October, the French National Agency for the Security of Information Systems ANSSI warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.
The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of low-risk equipment monitored and located at the edge of the target networks. The Government experts pointed out that in some cases the group did not deployed any backdoor in the compromised systems.
ANSSI observed at least three attack techniques employed by APT28 in the attacks against French organizations:
Searching for zero-day vulnerabilities [T1212, T1587.004]; Compromise of routers and personal email accounts [T1584.005, T1586.002]; The use of open source tools and online services [T1588.002, T1583.006]. ANSSI investigations confirm that APT28 exploited the Outlook 0-day vulnerability.
