CTI Roundup: Russian threat actor APT28 exploits Outlook vulnerability

In this week’s roundup, CTI investigates an active campaign by the nation-state group APT28 where the threat actor exploits a critical security flaw in Outlook to steal sensitive information. Next, CTI explores the top characteristics of QR code phishing emails including the most common sources, subjects, and domains that threat actors leverage in their attacks. CTI also analyzes a recent intrusion of a public-facing MSSQL server that resulted in the deployment of BlueSky ransomware.

1. APT28 exploits a critical Outlook vulnerability

The Kremlin-backed APT28 group, (aka Fancy Bear) is actively targeting a now-patched critical security flaw in the Outlook email service. APT28 is exploiting CVE-2023-23397 to gain unauthorized access to Microsoft Exchange accounts and steal sensitive information.

CVE-2023-23397 is a critical privilege escalation vulnerability in Microsoft Outlook on Windows. To exploit this vulnerability, the threat actor will deliver a specially crafted message to a user. The threat actor can specify the value for PidLidReminderFileParameter to trigger a Net-NTLMv2 hash leak to their actor-controlled servers. The victim does not have to interact with the email message. As long as Outlook is open when the reminder is triggered, the exploitation will occur.

All versions of Outlook on Windows were impacted by this vulnerability while Outlook for Android, iOS, Mac, and OWA were not affected. Microsoft traced evidence of potential exploitation of this vulnerability back to April 2022. This vulnerability was first reported in March of 2023, and a patch has since been made available.

About APT28

While this vulnerability was released several months ago, Microsoft recently confirmed that APT28 is actively exploiting it. APT28 — also known as Forest Blizzard and Fancy Bear — is a Russian threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU).

The group has been active since at least 2004 and tends to target government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. APT28 is known to leverage publicly available exploits in their attacks, spending a good portion of September 2023 exploiting the WinRAR vulnerability (CVE-2023-38831) against Ukrainian government targets. The group is believed to be well-resourced and well-trained, continually refining its TTPs and employing new custom malware.

APT28 is now actively exploiting the nine-month-old Outlook vulnerability in its attacks to gain unauthorized access to email accounts within Exchange servers. Microsoft worked with the Polish Cyber Command (DKWOC) to analyze this latest activity.

After exploiting the Outlook vulnerability, APT28 typically modifies folder permissions in the victim’s mailbox to enable access to any authenticated person within the organization. This enables the actor to access high-value informational mailboxes via any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol.

Analyst comments from Tanium’s Cyber Threat Intelligence team

APT28 is a successful threat group that is regularly attributed to new malicious activity.

While APT28 is resourceful, the group is also known for exploiting vulnerabilities shortly after they are publicized. As such, critical patching is critical for protecting against APT28 attacks.

2. QR phishing campaigns grow more complex

A new report from Cofense details the top characteristics of QR code phishing emails, covering sources, subjects, and types of domains that threat actors often leverage in these campaigns. Some of the common characteristics across QR code phishing emails include captcha, MFA, and URLs that have an open redirect to a credential phishing page.

Cofense reviewed its Active Threat Reports (ATRs) for all reports with QR codes. They found that campaigns with captcha were the most popular for both QR code phishing and all credential phishing. The MFA tag was the least popular across all credential phishing reports but was a close second for QR code reports. What’s more, 29% of their QR code reports leveraged an MFA characteristic in some way, indicating that these campaigns may be more diverse now than they were just a few months ago.

QR code image sources

QR codes have typically been delivered via images that are embedded into an email. However, because tooling has become better at spotting and scanning QR codes in this way, threat actors are starting to seek alternative methods for delivery.

One new alternative method — though only seen in about 3% of campaigns — is the use of Google API to generate a QR code. This QR code is then referenced as an external image in the email or HTML attachment. The URL will generate a QR code with a link to the threat actor’s URL of choice that is within the googleapis[.]com URL. This method may evade detection, for now, as most email gateways will ignore external images.

A more common alternative method is to use an attached file that has a QR code embedded in it. Cofense found that 17% of their observed QR code-based campaigns made use of attachments, a number they expect to grow in the near future.

Common subjects for QR code phishing emails

Cofense found that MFA-themed subjects made up 29% of QR code emails. They are also starting to see more personally identifiable content in subjects that require redacting.

Domain types

It’s possible to embed different types of URLs in a QR code. One type of URL is a legitimate domain that can be used for redirection. Threat actors also occasionally use link shorteners like Bitly. Domains belonging to one of the QR code domain shorteners were found to be used roughly 7% of the time. The most common domain type at 62% was malicious or compromised domains.

Analyst comments from Tanium’s Cyber Threat Intelligence team

While this analysis does not reveal any groundbreaking TTPs when it comes to QR code-related phishing campaigns, it does indicate that these campaigns may be getting more diverse than we originally thought.

When QR code phishing first started, most emails had generic subjects related to MFA or password resets. What we’re seeing now is more targeted QR code phishing with subjects that include personal information or specific dates. We’re also starting to see threat actors pivot as more and more solutions to detect QR code phishing become available, suggesting that we will continue to see QR code-based phishing for some time.

3. SQL brute force attack results in BlueSky ransomware

The DFIR Report recently observed an intrusion on a public-facing MSSQL server that resulted in the deployment of BlueSky ransomware. The time to ransomware in this attack was just 32 minutes. BlueSky ransomware is known to have ties to the Conti and Babuk leaked source code.

About a year ago, the DFIR Report observed a cluster of activity that was targeting MSSQL servers. This activity began with brute-force password attempts for the MS SQL system administrator account on an internet-facing server. Over 10,000 failed attempts were observed before a successful login. After discovering the password, the threat actor enabled xp_cmdshell to be able to execute shell commands on the host.

• The threat actors started with a PowerShell command to establish a connection to a Cobalt Strike C2 server before injecting into winlogon, which is a legitimate process.
• The injected process spawned both PowerShell and cmd to carry out SMB scans and discovery via SMBexec.
• The PowerShell session then made a connection to a Tor2Mine stager server and executed additional PowerShell scripts to check user privileges, disable anti-virus solutions, and drop a miner payload.
• Just 15 minutes after initial access the threat actors moved laterally to domain controllers and files shared via remote service creation. The services were used to execute PowerShell commands and download and execute the Tor2Mine malware.
• 30 minutes after initial access, the BlueSky ransomware binary was dropped and executed on the beachhead. The time to ransomware was just 32 minutes.

The execution stage

During this stage of the attack the threat actor established a command shell via Extended SQL Stored Procedure (xp_cmdshell). This enables the user to issue operating system-level commands directly to the Windows command shell. The actor then executed a Cobalt Strike beacon and PowerShell script that is used in the campaign to deploy Tor2Mine malware.

The first PowerShell script executed a command to download a Cobalt Strike beacon. This action was followed by another PowerShell execution and then a connection to several Tor2Mine servers and URLs. Tor2Mine leverages PowerShell scripts to check whether the active user is an admin and to check the OS version. Then it will pull down another script that is a PowerShell version of mimikatz. It can disable antivirus solutions like MalwareBytes, Sophos, and Windows Defender.

The malware will also check if the user is privileged. If so, it will download and install the correct version of the miner and create multiple scheduled tasks and services.

BlueSky ransomware

The BlueSky ransomware binary was eventually dropped on the beachhead as vmware.exe. The execution of this binary resulted in network-wide ransomware, which was ultimately accomplished via SMB as the ransomware connected to hosts over port 445 to encrypt files.

These encrypted files were renamed with the .bluesky file extension. The ransomware dropped a ransom note in the form of a .txt file with the name “# DECRYPT FILES BLUESKY #.txt.”

The entire attack only lasted approximately 30 minutes with limited discovery and no exfiltration.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Even though The DFIR Report is just putting this report out on an intrusion from about a year ago, many of the TTPs are still relevant and used widely today.

This attack is interesting in that there was no data exfiltration observed, which likely contributes to the fact that this entire attack only lasted just over 30 minutes. Further, the time to ransomware being 32 minutes is a painful reminder of how quickly a threat actor can accomplish their goals and thus how important timely alert triage is.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.