Threat Research

Fighting Ursa Aka APT28: Illuminating a Covert Campaign

Securonix

Fighting Ursa exploited a Microsoft Outlook vulnerability (CVE-2023-23397) to conduct NTLM relay campaigns against high-value targets across NATO-aligned nations, using zero-day and later activity to harvest credentials and move within networks. The operation included attacker-controlled infrastructure, use of a public-mail service account, and targeted organizations spanning energy and defense sectors; readers are advised to patch Outlook and strengthen defenses against NTLM relay techniques. #FightingUrsa #APT28 #CVE-2023-23397 #NTLMRelay

Keypoints

  • Fighting Ursa used CVE-2023-23397 (Outlook) to target at least 30 organizations in 14 nations with the zero-day and subsequently public exposure.
  • The campaigns occurred in three waves: Mar–Dec 2022, Mar 2023, and Aug–Oct 2023.
  • Victims were high-value intelligence targets across NATO member states, including critical infrastructure sectors like energy, pipeline, defense ministries, and information technology.
  • The attack chain featured an NTLM relay attack enabled by Outlook during exploitation, allowing impersonation of victims within networks.
  • Actors used co-opted Ubiquiti devices to harvest NTLM authentication messages, aligning with prior Fighting Ursa activity.
  • Attribution ties the group to Russia’s GRU (Unit 26165), and the operation underscores Russia’s strategic targeting priorities.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – ‘zero-day exploit in Microsoft Outlook (now known as CVE-2023-23397). This vulnerability is especially concerning since it doesn’t require user interaction to exploit.’
  • [T1550] NTLM Relay – ‘NTLM authentication message to an attacker-controlled remote file share. The NTLM authentication response is an NTLMv2 hash that Fighting Ursa uses to impersonate the victim.’
  • [T1136] Create Account – ‘the actors had created on a public mail service (portugalmail[.]pt).’

Indicators of Compromise

  • [IP Address] Command-and-control / infrastructure – 5.199.162[.]132, 101.255.119[.]42, and 12 more IPs
  • [SHA256 Hash] Malicious artifact evidence – 4238c061102400fa27356266c6f677d1d7320f66f955a7f389eb24f10a49b53d
  • [Domain] Email infrastructure domain – portugalmail[.]pt
  • [Email Address] Sender account used in campaign – [email protected]

Read more: https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint