Spear-Phishing Operations of Star Blizzard APT Group Attributed to Russian Intelligence Agency FSB
A joint report from the Five Eyes intelligence alliance, published on December 7, 2023, reveals the cyber operations of Russia's FSB “Centre 18” and its associated group, Star Blizzard (aka SEABORGIUM, Callisto Group, TA446, COLDRIVER, TAG-53, BlueCharlie) [1]. Since 2019, Star Blizzard has been spear-phishing various sectors, including academia, defense, government, NGOs, think tanks, and politicians in NATO and countries neighboring Russia [2]. Star Blizzard used EvilGinx, an open-source tool, to bypass multifactor authentication by stealing credentials and session cookies [3].
Star Blizzard creates fake email accounts and social media profiles to impersonate known contacts and respected experts as the main social engineering tactics in this campaign. They lure victims with fake event invitations and then use phishing links to capture account credentials by exfiltrating them through actor-controlled servers.
Once they obtain credentials, Star Blizzard accesses victims' email accounts remotely to steal emails and attachments, set up mail-forwarding rules for ongoing surveillance, and use the compromised accounts for further phishing and targeting activities, such as accessing mailing lists and contact data.
Threat Actors Abusing Secure Token Service (STS) to Compromise AWS Cloud Services
According to a report published by Red Canary researchers on December 5, 2023, threat actors abuse legitimate security features of AWS cloud services called Secure Token Service (STS), short-term (ASIA) and long-term (AKIA) IAM tokens [4]. Threat actors steal these tokens to achieve persistence and initial access via AWS cloud infrastructures. ASIA tokens are created by abusing STS, while the AKIA token must be exposed to the threat actor for persistence access.
Adversaries compromise AKIA tokens by leveraging many of the same techniques used to compromise traditional endpoints such as previously compromised endpoints, public repositories that inadvertently contain credential data, and phishing emails. Once an adversary has access to an AKIA token, they extract the MFA code and device details. With the MFA code in hand, adversaries can leverage legitimate IAM users with long-term AKIA tokens to request the creation of short-term ASIA tokens as a backup, ensuring persistence in the event the initial AKIA token is revoked.
Once the adversary has access to the IAM user account via the AKIA/ASIA token, they have a firm foothold to perform lateral movement and escalate privileges from within AWS infrastructure.
APT28 Targets NATO’s Rapid Response: Exploiting Outlook's CVE-2023-23397
According to a report published by Palo Alto Unit42, on December 7, 2023, Russian government-aligned APT28 (AKA Fighting Ursa) threat actor targeted NATO Rapid Deployable Corps (High Readiness Force headquarters capable of swift deployment to NATO forces) by utilizing Microsoft Outlook vulnerability CVE-2023-23397 [5]. Exploitation of the vulnerability exposes the targeted user’s Net-NTLMv2 hashes [6]. This is then used to conduct relay attacks to other systems that support NTLMv2, allowing the threat actor to authenticate as the targeted user.
APT28 started using the Outlook security flaw as a zero-day in March 2022, three weeks after Russia invaded Ukraine, to target the State Migration Service of Ukraine [7]. Between mid-April and December 2022, they breached the networks of approximately 15 government, military, energy, and transportation organizations in Europe to steal emails potentially containing military intelligence to support Russia's invasion of Ukraine [8].
Microsoft patched the zero-day one year later, in March 2023, and linked activity to a Russian hacking group, APT28. The same operators continue using CVE-2023-23397 to steal credentials that allowed them to move laterally through compromised networks [9]. Currently, the attack surface has increased even further beginning in May when a bypass (CVE-2023-29324) affecting all Outlook Windows versions surfaced [10]. It is now possible to use either vulnerability of relatively low complexity to achieve similar objectives on targets using Outlook.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
ChatGPT Vulnerability; LockBit Cyberattack On ICBC; US Water Authority Hacked
Welcoming EclecticIQ Intelligence Center 3.2
Appendix
[1] “Advisory: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns”. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
[2] M. T. Intelligence, “Star Blizzard increases sophistication and evasion in ongoing attacks,” Microsoft Security Blog. Accessed: Dec. 11, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/
[3] K. Gretzky, “Evilginx 3.0.” Dec. 11, 2023. Accessed: Dec. 11, 2023. [Online]. Available: https://github.com/kgretzky/evilginx2
[4] susannah.matt@redcanary.com, “How adversaries infiltrate AWS cloud accounts,” Red Canary. Accessed: Dec. 11, 2023. [Online]. Available: https://redcanary.com/blog/aws-sts/
[5] Unit 42, “Fighting Ursa Aka APT28: Illuminating a Covert Campaign,” Unit 42. Accessed: Dec. 11, 2023. [Online]. Available: https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/
[6] “NVD - cve-2023-23397.” Accessed: Dec. 11, 2023. [Online]. Available: https://nvd.nist.gov/vuln/detail/cve-2023-23397
[7] Unit 42, “Threat Brief - CVE-2023-23397 - Microsoft Outlook Privilege Escalation,” Unit 42. Accessed: Dec. 11, 2023. [Online]. Available: https://unit42.paloaltonetworks.com/threat-brief-cve-2023-23397/
[8] “Russian APT28 hackers breach Ukrainian govt email servers,” BleepingComputer. Accessed: Dec. 11, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/russian-apt28-hackers-breach-ukrainian-govt-email-servers/
[9] “Microsoft fixes Outlook zero-day used by Russian hackers since April 2022,” BleepingComputer. Accessed: Dec. 11, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/
[10] “From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API,” Akamai. Accessed: Dec. 11, 2023. [Online]. Available: https://www.akamai.com/blog/security-research/important-outlook-vulnerability-bypass-windows-api
