APT28 Malware Attack Outlook: Microsoft warns about Forest Blizzard Group

APT28 Malware Attack: On Monday, Microsoft detected Kremlin-backed nation-state activity, exploiting the critical flaws of Microsoft Outlook Mailing Service. The flaws can provide unauthorized access to victim’s accounts over Exchange servers. According to Microsoft, the culprit is Forest Blizzard Group (previously known as “Strontium”). The attackers group is found to be spreading APT28 malware, which is also known as Fancy Bear, Sednit, FrozenLake, and BlueDelta.

APT28 Malware Attack Outlook

The vulnerability that the group is exploiting isĀ CVE-2023-23397, which was reported as a critical privilege escalation bug with a CVSS score of 9.8. The bug allows an attacker to use the Net-NTMLv2 hash of a user to conduct a relay attack against the authentication service. Microsoft patched the bug in March 2023. The attackers aimed to gain unauthorized access to public and private mailboxes.

Modus Operandi of APT28 Malware Attack:

APT28 Malware Attack Outlook 1

According to Microsoft, the CVE-2023-23397 can be exploited by delivering a specially crafted message to targeted user. The massage will include a parameter “PidLidReminderFileParameter“, it is an extended Messaging Application Programming Interface property. The crafted message sent by attacker can set MAPI to a Universal Naming Convention (UNC) path to attacker controlled server path for SMB/TCP Port 445.

According to DKWOC, the attackers used to change the permissions of the compromised user’s “Default” group from “None” to “Owner”.Changing the permission will allow any authenticated user to access the mail folders within the organization, enabling attackers to extract the user’s private information.

HrServ Web Shell

It is believed that the state-sponsored group is linked to the “26165” unit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The GRU is the Russia’s most effective spy agency.

The Frozen Blizzard Group is developing rapidly by building custom techniques and creating malware variants. This signifies that strong resources and trained group back the group. Microsoft said it imposes long-term challenges to tracking and attributing their activity. Many enterprises, MNCs, and companies use Microsoft Outlook, making it an attractive vector for attack.

Read More: MagicLine4NX Exploit: Lazarus Group Launch Supply Chain Attacks