Pawn Storm APT Launch Hash Relay Attacks on Government Departments

In the analysis by Trendmicro, they dissect the recent maneuvers of this advanced persistent threat (APT) actor, shedding light on its unyielding repetition of tactics and the intricate dance between its seemingly unsophisticated campaigns and the concealed sophistication within.

Known by aliases APT28 and Forest Blizzard, Pawn Storm’s resilience echoes through a decade-long saga of relentless cyber intrusions. 

While some may dismiss its aged phishing techniques, these campaigns, often targeting hundreds simultaneously, provide a nuanced understanding of the threat actor’s evolving infrastructure and more advanced exploits hidden beneath the surface.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Navigating the Noise – Net-NTLMv2 Hash Relay Attacks*

From April 2022 to November 2023, Pawn Storm orchestrated extensive Net-NTLMv2 hash relay attacks, creating peaks of activity against government entities in foreign affairs, energy, defense, and transportation. 

Is this relentless assault a mere display of noise or cost-efficient automation of brute-force attempts targeting global networks of governments and defense industries?

Trend Micro said that Pawn Storm employs a sophisticated array of anonymization tools, including VPN services, Tor, and compromised EdgeOS routers.

This cloak of anonymity extends to its spear-phishing emails, originating from compromised email accounts accessed through Tor or VPN exit nodes. 

The cyber chessboard expands with the integration of free services and URL shorteners, adding layers to its elusive presence.

Vulnerability Exploitation – CVE-2023-23397 Unveiled

March 2023 witnessed the exploitation of the critical Outlook vulnerability CVE-2023-23397 by Pawn Storm. 

Delivered through spear-phishing emails, this flaw allowed the attacker to launch Net-NTLMv2 hash relay attacks, persistently targeting Microsoft Exchange Servers within victim organizations. 

The chessboard evolves with the intricate moves of exploiting zero-day vulnerabilities.

In a revelation of subtlety, Pawn Storm deployed a streamlined information stealer in October 2022. 

This malicious attachment, devoid of a command-and-control server, autonomously exfiltrated data from embassies and high-profile targets. 

Spear phishing email

Spear-phishing email sent by Pawn Storm in October 2022 with a malicious attachment that installs a simple information stealer without a C&C server

The crude exterior conceals a methodical approach, with the stolen information discreetly uploaded to free file-sharing services, evading attribution.

Pawn Storm’s legacy extends beyond two decades, embodying both aggression and determination.

Its strategic evolution, from brute-force assaults to the deployment of zero-day vulnerabilities, challenges defenders to decipher the intricate moves on this digital chessboard. 

For network defenders seeking to fortify their defenses, the appendix offers an extensive list of indicators. 

Despite Pawn Storm’s use of shared IP addresses, the relatively slow changes in its tactics serve as a beacon for detecting the initial stages of compromise. 

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago