Sunday, July 14, 2024

Pawn Storm APT Launch Hash Relay Attacks on Government Departments

In the analysis by Trendmicro, they dissect the recent maneuvers of this advanced persistent threat (APT) actor, shedding light on its unyielding repetition of tactics and the intricate dance between its seemingly unsophisticated campaigns and the concealed sophistication within.

Known by aliases APT28 and Forest Blizzard, Pawn Storm’s resilience echoes through a decade-long saga of relentless cyber intrusions. 

While some may dismiss its aged phishing techniques, these campaigns, often targeting hundreds simultaneously, provide a nuanced understanding of the threat actor’s evolving infrastructure and more advanced exploits hidden beneath the surface.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Navigating the Noise – Net-NTLMv2 Hash Relay Attacks*

From April 2022 to November 2023, Pawn Storm orchestrated extensive Net-NTLMv2 hash relay attacks, creating peaks of activity against government entities in foreign affairs, energy, defense, and transportation. 

Is this relentless assault a mere display of noise or cost-efficient automation of brute-force attempts targeting global networks of governments and defense industries?

Trend Micro said that Pawn Storm employs a sophisticated array of anonymization tools, including VPN services, Tor, and compromised EdgeOS routers.

This cloak of anonymity extends to its spear-phishing emails, originating from compromised email accounts accessed through Tor or VPN exit nodes. 

The cyber chessboard expands with the integration of free services and URL shorteners, adding layers to its elusive presence.

Vulnerability Exploitation – CVE-2023-23397 Unveiled

March 2023 witnessed the exploitation of the critical Outlook vulnerability CVE-2023-23397 by Pawn Storm. 

Delivered through spear-phishing emails, this flaw allowed the attacker to launch Net-NTLMv2 hash relay attacks, persistently targeting Microsoft Exchange Servers within victim organizations. 

The chessboard evolves with the intricate moves of exploiting zero-day vulnerabilities.

In a revelation of subtlety, Pawn Storm deployed a streamlined information stealer in October 2022. 

This malicious attachment, devoid of a command-and-control server, autonomously exfiltrated data from embassies and high-profile targets. 

Spear phishing email
Spear phishing email

Spear-phishing email sent by Pawn Storm in October 2022 with a malicious attachment that installs a simple information stealer without a C&C server

The crude exterior conceals a methodical approach, with the stolen information discreetly uploaded to free file-sharing services, evading attribution.

Pawn Storm’s legacy extends beyond two decades, embodying both aggression and determination.

Its strategic evolution, from brute-force assaults to the deployment of zero-day vulnerabilities, challenges defenders to decipher the intricate moves on this digital chessboard. 

For network defenders seeking to fortify their defenses, the appendix offers an extensive list of indicators. 

Despite Pawn Storm’s use of shared IP addresses, the relatively slow changes in its tactics serve as a beacon for detecting the initial stages of compromise. 


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles