On December 4th, 2023 [7], Microsoft disclosed that Forest Blizzard, a Russian state-sponsored APT group [1] [5] [7] [11], has been actively exploiting vulnerabilities to target government [7], energy [1] [5] [6] [7] [10] [11], transportation [1] [5] [6] [7] [10] [11], and non-governmental organizations in the US [5], Europe [1] [5] [6] [7] [10] [11], and the Middle East [1] [5] [7] [10] [11].
Description
Forest Blizzard [3] [5] [8] [9] [11], also known as APT28 [1] [5] [6] [7] [8] [9], BlueDelta [4] [8] [9], Fancy Bear [2] [4] [5] [8] [9] [10] [11], FROZENLAKE [8] [9], Iron Twilight [8] [9], Sednit [8] [9], Sofacy [4] [8] [9], and TA422 [8] [9], has a history of targeting government [10] [11], energy [1] [5] [6] [7] [10] [11], and transportation companies in the US [11], Europe [1] [5] [6] [7] [10] [11], and the Middle East [1] [5] [7] [10] [11]. They have conducted high-profile attacks against the US Democratic National Committee and the International Olympic Committee [11]. Forest Blizzard primarily exploits CVE-2023-23397, a critical privilege escalation vulnerability in Outlook on Windows [7]. This vulnerability allows unauthorized access to victims’ accounts within Exchange servers [8] [9]. The group initiates the attack with a phishing email that triggers a request for a file from a remote server controlled by them [7], obtaining the victim’s Net-NTLMv2 hash [7]. Forest Blizzard’s activities are difficult to track and attribute due to their use of custom techniques and malware [11]. The Polish Cyber Command [1] [2] [3] [4] [5] [10] [11], which detected the attacks [11], has named the campaign “Silence.” Forest Blizzard may also be exploiting other known vulnerabilities, such as CVE-2023-38831 in WinRAR and CVE-2021-40444 in Microsoft’s proprietary browser engine for Internet Explorer [7]. Microsoft has expressed gratitude to the Polish Cyber Command for their assistance in identifying and mitigating the techniques used by Forest Blizzard [5]. Attacks on Microsoft Exchange servers and Outlook email accounts have been increasing [11], with recent compromises by the Chinese-backed Storm-0058 threat group targeting US government agencies [11].
Conclusion
The Russian Fancy Bear threat group [2], associated with Forest Blizzard, has been exploiting a nine-month-old vulnerability in Microsoft Exchange [2], specifically targeting organizations in Poland and potentially other countries [2]. The Polish Cyber Command has identified these attacks and observed the exploitation of CVE-2023-23397 [2], an elevation-of-privilege vulnerability in Exchange [2]. This vulnerability has been used as a zero-day exploit by attackers [2], including in attacks against Ukrainian organizations [2]. To mitigate these attacks [10], Microsoft recommends patching Outlook and implementing security measures such as password resets and multi-factor authentication. Forest Blizzard’s history of targeting organizations with unpatched vulnerabilities in Microsoft software programs highlights the importance of timely security updates. The collaboration between Microsoft and the Polish Cyber Command serves as an example of effective cooperation in addressing cyber threats. Organizations are advised to remain vigilant and apply necessary security updates to protect against potential exploits by Forest Blizzard and other threat actors.
References
[1] https://vulnera.com/newswire/russian-apt28-hackers-exploit-outlook-flaw-to-hijack-exchange-accounts/
[2] https://duo.com/decipher/russian-group-targeting-exchange-flaw
[3] https://cyber.vumetric.com/security-news/2023/12/05/russian-hackers-use-old-outlook-vulnerability-to-target-polish-orgs-cve-2023-23397/
[4] https://www.scmagazine.com/news/microsoft-blames-russia-for-ongoing-hacks-of-9-month-old-exchange-bug
[5] https://www.infosecurity-magazine.com/news/russian-apt28-exploits-outlook-bug/
[6] https://www.helpnetsecurity.com/2023/12/05/apt28-poland-cve-2023-23397/
[7] https://fieldeffect.com/blog/russian-apt28-hackers-exploiting-known-flaws-in-latest-campaign
[8] https://owasp.or.id/2023/12/06/microsoft-warns-of-kremlin-backed-apt28-exploiting-critical-outlook-vulnerability/
[9] https://thehackernews.com/2023/12/microsoft-warns-of-kremlin-backed-apt28.html
[10] https://techmonitor.ai/technology/cybersecurity/microsoft-apt28-outlook
[11] https://www.techtarget.com/searchSecurity/news/366562020/Fancy-Bear-hackers-still-exploiting-Microsoft-Exchange-flaw
