Pawn Storm, also referred to as APT28, is a complicated persistent risk (APT) actor that has been concentrating on high-value entities globally since no less than 2004, utilizing a wide range of methods.
Despite utilizing seemingly outdated strategies similar to phishing campaigns from a decade in the past, the group continues to compromise hundreds of electronic mail accounts.
According to an advisory revealed by Trend Micro researchers Feike Hacquebord and Fernando Merces, the group has not too long ago been concerned in Net-NTLMv2 hash relay assaults, trying to brute-force its method into authorities, protection, and army networks worldwide.
Between April 2022 and November 2023, Pawn Storm reportedly targeted on launching NTLMv2 hash relay assaults, concentrating on authorities departments coping with international affairs, power, protection, transportation, and numerous different sectors.
The group was energetic in Europe, North America, South America, Asia, Africa, and the Middle East, demonstrating persistence by modifying folder permissions in victims’ mailboxes to allow lateral motion.
Pawn Storm has enhanced its operational safety lately, steadily altering its techniques. Brute-force credential assaults on mail servers and company VPN providers have been widespread since 2019.
Read extra about Pawn Storm: Russian APT28 Group Changes Tack to Probe Email Servers
In latest years, the group has additionally employed anonymization layers like VPN providers, Tor, compromised EdgeOS routers, and free providers similar to URL shorteners. The use of anonymization layers extends to spear-phishing emails despatched from compromised electronic mail accounts accessed over Tor or VPN exit nodes.
A vital vulnerability, CVE-2023-23397, patched in March 2023, allowed Pawn Storm to conduct hash relay assaults on Outlook customers. Exploiting this flaw, the group despatched malicious calendar invitations, triggering the Net-NTLMv2 hash relay assault.
Pawn Storm’s diversification contains utilizing the WinRAR vulnerability CVE-2023-38831 for hash relay assaults. A credential phishing marketing campaign in late 2023 focused European governments, using webhook(.)web site URLs and VPN IP addresses.
In October 2022, Pawn Storm employed an info stealer with no command-and-control (C2) server. This crude but efficient technique concerned importing stolen recordsdata to a free file-sharing service, utilizing shortened URLs for entry.
In the Trend Micro advisory, Hacquebord and Merces warned that Pawn Storm stays aggressive regardless of its two-decade historical past, adapting loud and aggressive techniques alongside superior and stealthy strategies.
Network defenders are urged to leverage indicators of compromise offered within the analysis to bolster their safety in opposition to Pawn Storm’s persistent threats.