Monday, March 4, 2024

Pawn Storm APT Launch Hash Relay Attacks on Government Departments

In the analysis by Trendmicro, they dissect the recent maneuvers of this advanced persistent threat (APT) actor, shedding light on its unyielding repetition of tactics and the intricate dance between its seemingly unsophisticated campaigns and the concealed sophistication within.

Known by aliases APT28 and Forest Blizzard, Pawn Storm’s resilience echoes through a decade-long saga of relentless cyber intrusions. 

While some may dismiss its aged phishing techniques, these campaigns, often targeting hundreds simultaneously, provide a nuanced understanding of the threat actor’s evolving infrastructure and more advanced exploits hidden beneath the surface.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Navigating the Noise – Net-NTLMv2 Hash Relay Attacks*

From April 2022 to November 2023, Pawn Storm orchestrated extensive Net-NTLMv2 hash relay attacks, creating peaks of activity against government entities in foreign affairs, energy, defense, and transportation. 

Is this relentless assault a mere display of noise or cost-efficient automation of brute-force attempts targeting global networks of governments and defense industries?

Trend Micro said that Pawn Storm employs a sophisticated array of anonymization tools, including VPN services, Tor, and compromised EdgeOS routers.

This cloak of anonymity extends to its spear-phishing emails, originating from compromised email accounts accessed through Tor or VPN exit nodes. 

The cyber chessboard expands with the integration of free services and URL shorteners, adding layers to its elusive presence.

Vulnerability Exploitation – CVE-2023-23397 Unveiled

March 2023 witnessed the exploitation of the critical Outlook vulnerability CVE-2023-23397 by Pawn Storm. 

Delivered through spear-phishing emails, this flaw allowed the attacker to launch Net-NTLMv2 hash relay attacks, persistently targeting Microsoft Exchange Servers within victim organizations. 

The chessboard evolves with the intricate moves of exploiting zero-day vulnerabilities.

In a revelation of subtlety, Pawn Storm deployed a streamlined information stealer in October 2022. 

This malicious attachment, devoid of a command-and-control server, autonomously exfiltrated data from embassies and high-profile targets. 

Spear phishing email
Spear phishing email

Spear-phishing email sent by Pawn Storm in October 2022 with a malicious attachment that installs a simple information stealer without a C&C server

The crude exterior conceals a methodical approach, with the stolen information discreetly uploaded to free file-sharing services, evading attribution.

Pawn Storm’s legacy extends beyond two decades, embodying both aggression and determination.

Its strategic evolution, from brute-force assaults to the deployment of zero-day vulnerabilities, challenges defenders to decipher the intricate moves on this digital chessboard. 

For network defenders seeking to fortify their defenses, the appendix offers an extensive list of indicators. 

Despite Pawn Storm’s use of shared IP addresses, the relatively slow changes in its tactics serve as a beacon for detecting the initial stages of compromise. 


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles