Pawn Storm, a complicated persistent risk (APT) actor also called APT28, has been focusing on high-value entities globally, using a variety of methods since a minimum of 2004.
Regardless of counting on seemingly outdated strategies like decade-old phishing campaigns, the group continues to compromise hundreds of e-mail accounts.
In accordance with an advisory revealed immediately by Development Micro researchers Feike Hacquebord and Fernando Merces, the group has lately been concerned in Internet-NTLMv2 hash relay assaults, making an attempt to brute-force its means into authorities, protection and navy networks worldwide.
Between April 2022 and November 2023, Pawn Storm reportedly targeted on launching NTLMv2 hash relay assaults, focusing on authorities departments coping with international affairs, vitality, protection, transportation and numerous different sectors.
The group was lively in Europe, North America, South America, Asia, Africa and the Center East. It demonstrated persistence by modifying folder permissions in victims’ mailboxes, enabling lateral motion.
Pawn Storm has enhanced its operational safety lately, step by step altering its ways. Brute-force credential assaults on mail servers and company VPN providers have been frequent since 2019.
Learn extra about Pawn Storm: Russian APT28 Group Modifications Tack to Probe E mail Servers
Lately, the group has additionally employed anonymization layers like VPN providers, Tor, compromised EdgeOS routers and free providers comparable to URL shorteners. Using anonymization layers extends to spear-phishing emails despatched from compromised e-mail accounts accessed over Tor or VPN exit nodes.
A important vulnerability, CVE-2023-23397, patched in March 2023, allowed Pawn Storm to conduct hash relay assaults on Outlook customers. Exploiting this flaw, the group despatched malicious calendar invitations, triggering the Internet-NTLMv2 hash relay assault.
The marketing campaign prolonged to August 2023, evolving with extra elaborate strategies, together with scripts hosted on Mockbin and URLs redirecting to PHP scripts on free website hosting domains.
Pawn Storm’s diversification contains utilizing the WinRAR vulnerability CVE-2023-38831 for hash relay assaults. A credential phishing marketing campaign in late 2023 focused European governments, using webhook[.]web site URLs and VPN IP addresses.
In October 2022, Pawn Storm employed an info stealer and not using a command-and-control (C2) server. This crude but efficient methodology concerned importing stolen recordsdata to a free file-sharing service, utilizing shortened URLs for entry.
Within the Development Micro advisory, Hacquebord and Merces warned that Pawn Storm stays aggressive regardless of its two-decade historical past, adapting loud and aggressive ways alongside superior and stealthy strategies.
Community defenders are urged to leverage indicators of compromise supplied within the analysis to bolster their safety towards Pawn Storm’s persistent threats.
