Pawn Storm APT Launch Hash Relay Attacks on Government Departments

In the analysis by Trendmicro, they dissect the recent maneuvers of this advanced persistent threat (APT) actor, shedding light on its unyielding repetition of tactics and the intricate dance between its seemingly unsophisticated campaigns and the concealed sophistication within.

Known by aliases APT28 and Forest Blizzard, Pawn Storm’s resilience echoes through a decade-long saga of relentless cyber intrusions. 

While some may dismiss its aged phishing techniques, these campaigns, often targeting hundreds simultaneously, provide a nuanced understanding of the threat actor’s evolving infrastructure and more advanced exploits hidden beneath the surface.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Run Free Threat Scan

Navigating the Noise – Net-NTLMv2 Hash Relay Attacks*

From April 2022 to November 2023, Pawn Storm orchestrated extensive Net-NTLMv2 hash relay attacks, creating peaks of activity against government entities in foreign affairs, energy, defense, and transportation. 

Is this relentless assault a mere display of noise or cost-efficient automation of brute-force attempts targeting global networks of governments and defense industries?

Trend Micro said that Pawn Storm employs a sophisticated array of anonymization tools, including VPN services, Tor, and compromised EdgeOS routers.

This cloak of anonymity extends to its spear-phishing emails, originating from compromised email accounts accessed through Tor or VPN exit nodes. 

The cyber chessboard expands with the integration of free services and URL shorteners, adding layers to its elusive presence.

Vulnerability Exploitation – CVE-2023-23397 Unveiled

March 2023 witnessed the exploitation of the critical Outlook vulnerability CVE-2023-23397 by Pawn Storm. 

Delivered through spear-phishing emails, this flaw allowed the attacker to launch Net-NTLMv2 hash relay attacks, persistently targeting Microsoft Exchange Servers within victim organizations. 

The chessboard evolves with the intricate moves of exploiting zero-day vulnerabilities.

In a revelation of subtlety, Pawn Storm deployed a streamlined information stealer in October 2022. 

This malicious attachment, devoid of a command-and-control server, autonomously exfiltrated data from embassies and high-profile targets. 

Spear-phishing email sent by Pawn Storm in October 2022 with a malicious attachment that installs a simple information stealer without a C&C server

The crude exterior conceals a methodical approach, with the stolen information discreetly uploaded to free file-sharing services, evading attribution.

Pawn Storm’s legacy extends beyond two decades, embodying both aggression and determination.

Its strategic evolution, from brute-force assaults to the deployment of zero-day vulnerabilities, challenges defenders to decipher the intricate moves on this digital chessboard. 

For network defenders seeking to fortify their defenses, the appendix offers an extensive list of indicators. 

Despite Pawn Storm’s use of shared IP addresses, the relatively slow changes in its tactics serve as a beacon for detecting the initial stages of compromise.