Fancy Bear targets Nato entities via critical Outlook flaw

A vulnerability patched in March has likely been exploited by the Russian state actor Fancy Bear, for over two years, according to the latest intelligence

Alex Scroxton,
Security Editor

Published: 08 Dec 2023 13:15

The Kremlin-backed advanced persistent threat (APT) actor known to the cyber community variously as APT28, Fighting Ursa, Forest Blizzard and most famously, Fancy Bear, may have been exploiting a critical elevation of privilege (EoP) zero-day in Microsoft Outlook much earlier and more widely than thought.

CVE-2023-23397 was officially disclosed and patched back in March 2023. It is a particularly nasty bug, exploited by sending a specially crafted email to the victim, but because it can be triggered server-side, they do not actually need to open or view it to become compromised.

A few days after that, Mandiant’s John Hultquist warned that the vulnerability had likely been exploited by Moscow against Ukrainian targets for well over 12 months. Then, earlier in December, Microsoft and Polish Cyber Command warned that exploitation of the bug was ongoing.

Now, new evidence published by the Unit 42 team at Palo Alto Networks has revealed that Fancy Bear has been using the zero-day liberally over the past 20 months, in three distinct campaigns dating from March to December of 2022 – in March of 2023, and most recently between September and October of this year, targeting least 30 organisations in 14 nations, the majority of them Nato members.

Victimology extends across multiple sectors, including energy production and distribution; pipeline operations; materiel, personal and air transport; and various government defence, foreign and internal affairs and economic ministries.

The targeted countries were Bulgaria, Czechia, Italy, Jordan, Lithuania, Luxembourg, Montenegro, Poland, Romania, Slovakia, Türkiye, Ukraine, the United Arab Emirates and the United States, as well as the Nato High Readiness Force Headquarters, which are dispersed across Europe in the UK, France, Germany, Greece, Poland and Türkiye.

Unit 42 said its discovery offered valuable insight into Russian state targeting priorities during the ongoing war in Ukraine. “Delving into more than 50 observed samples in which Fighting Ursa targeted victims with CVE-2023-23397 provides unique and informative insights into Russian military priorities during a time of international conflict for them,” the team wrote.

“Zero-day exploits by their nature are valuable commodities for APTs. Threat actors only use these exploits when the rewards associated with the access and intelligence gained outweigh the risk of public discovery of the exploit.

“Using a zero-day exploit against a target indicates it is of significant value. It also suggests that existing access and intelligence for that target were insufficient at the time.

“In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already attributed to them, without changing their techniques. This suggests that the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery,” they said.

“For these reasons, the organisations targeted in all three campaigns were most likely a higher than normal priority for Russian intelligence.”

How CVE-2023-23397 works

CVE-2023-23397 targets Windows NT LAN Manager (NTLM), a challenge-response authentication protocol that is known to be prone to what are known as relay attacks, as a result of with Microsoft has used Kerberos as its default protocol sine Windows 2000.

Unfortunately for Microsoft users, many Microsoft systems, including Outlook, will default back to NTLM as a failsafe if Kerberos is not feasible.

In the exploitation chain, a vulnerable or misconfigured Outlook instance receives a specially crafted email and sends NTLM authentication message to a remote file share controlled by Fancy Bear. It receives back an NTLMv2 hash which the APT then uses to impersonate the victim and gain access to their network.

Kennet Harpsøe, Logpoint senior cyber analyst, commented: “Given the overall political situation the described attack should not come as a surprise for anyone…NTLM is ancient and depreciated. The modern replacement is Kerberos [which] is standard even in Windows networks, but NTLM is used as a fall back and is thus still widely used despites its numerous and well-known security flaws.

“If you can, disable NTLM in your AD, and if you cannot, make sure to monitor the NTLM traffic on your network. Are new users all of a sudden using NTLM authentication all the time? NTLM authentication requests should normally not be leaving your network. If they do, it should be thoroughly investigated. Track all NTLM replay attempts in your network from your AD log,” he said.

“Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, like domain controllers and email servers, to defeat most replay attacks.

Added Harpsøe: “Finally, one wonders why it is still not standard to encrypt emails at rest, with keys private to the recipients. PGP has been around for a long time. It’s not much fun stealing emails if you can’t read them!”

Busy bears

Unit 42’s latest disclosure about the extent of malicious Russian cyber activity comes in the wake of major new intelligence published yesterday by the UK’s National Cyber Security Centre (NCSC) and partner agencies in which a campaign of cyber attacks on the British political process was firmly attributed to a Federal Security Service (FSB) group called Star Blizzard, but also tracked as Cold River and Seaborgium among other names.

The government judges this campaign to be so serious in its nature that it yesterday summoned the Russian ambassador to account for it, and placed two named individuals, including an FSB agent, on the UK’s financial sanctions list over their involvement in an attack on a prominent thinktank.

Star Blizzard is known to be run by the FSB’s Centre 18 unit, whereas Fancy Bear is more likely controlled by the General Staff Main Intelligence Directorate (GRU) 85th special Service Centre’s (GTsSS) Unit 26165 unit.

While both the FSB and GRU are successor units to the Soviet-era KGB beloved by generations of spy fiction writers, the FSB is responsible for counter-intelligence, state security and intelligence gathering outside Russia’s borders, and reports directly to Vladimir Putin.

The GRU, meanwhile, is the primary intelligence service of the Russian Armed Services, and unlike the FSB is ultimately subordinate to Moscow’s military command structure. The GRU is considered to be Russia’s largest intelligence service, and it also controls the country’s infamous Spetsnaz special forces.

Formed during the Cold War, the Spetsnaz saw action during the Prague Spring of 1968 and the Soviet invasion of Afghanistan. More recently they were the so-called Little Green Men seen in Crimea prior to its illegal annexation from Ukraine in 2014, and have participated in various actions on Ukrainian soil since February 2022, including sabotage against key targets, and potentially assassination attempts against Ukrainian president Volodymyr Zelensky.

Read more on Hackers and cybercrime prevention

Fancy Bear hackers still exploiting Microsoft Exchange flaw