APT28黑客利用NTLM Relay攻击针对高价值组织

Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide.

俄罗斯国家支持的行动者从2022年4月到2023年11月通过各种方法进行了NT LAN Manager（NTLM）v2散列传递攻击，目标是全球价值高的目标。

The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.

这些攻击被归因于一个名为APT28的"积极"黑客团队，他们的目标是涉及外交事务、能源、国防和交通的组织，以及与劳动、社会福利、金融、亲子关系和地方城市议会有关的组织。

Cybersecurity firm Trend Micro assessed these intrusions as a "cost-efficient method of automating attempts to brute-force its way into the networks" of its targets, noting the adversary may have compromised thousands of email accounts over time.

网络安全公司趋势科技评估这些入侵是一种"成本效益的自动化尝试破解目标网络"的方法，并指出对手可能长期以来已经入侵了数千个电子邮件账户。

APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.

APT28还被更广泛的网络安全界追踪，使用的名称包括Blue Athena、BlueDelta、Fancy Bear、Fighting Ursa、Forest Blizzard（以前是Strontium）、FROZENLAKE、Iron Twilight、ITG05、Pawn Storm、Sednit、Sofacy和TA422。

The group, believed to be active since at least 2009, is operated by Russia's GRU military intelligence service and has a track record of orchestrating spear-phishing containing malicious attachments or strategic web compromises to activate the infection chains.

该组织自2009年以来一直活跃，由俄罗斯GRU军事情报机构运营，并以组织针对性网络钓鱼活动、包含恶意附件或策略性网站入侵的方式进行攻击。

In April 2023, APT28 was implicated in attacks leveraging now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets.

2023年4月，APT28被指控利用了从思科获得的网络设备的漏洞进行攻击，以进行侦察并对特定目标部署恶意软件。

The nation-state actor, in December, came under the spotlight for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7.8) to access a user's Net-NTLMv2 hash and use it to stage an NTLM Relay attack against another service to authenticate as the user.

今年12月，这个国家级的行动者因利用Microsoft Outlook（CVE-2023-23397，CVSS评分：9.8）和WinRAR（CVE-2023-38831，CVSS评分：7.8）的提权漏洞来访问用户的Net-NTLMv2散列，并使用它来对另一个服务进行NTLM中继攻击来进行身份验证而受到关注。

An exploit for CVE-2023-23397 is said to have been used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.

根据欧洲计算机应急响应团队（CERT-EU）在2023年3月发布的一份公告，CVE-2023-23397的漏洞利用早在2022年4月就被用来攻击乌克兰实体。

It has also been observed leveraging lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace, alongside striking Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers like OCEANMAP, MASEPIE, and STEELHOOK.

还观察到，该组织利用与正在进行的以色列-哈马斯战争有关的诱饵，以便传递一个名为HeadLace的自定义后门，并针对乌克兰政府实体和波兰组织进行钓鱼邮件攻击，以部署后门和信息窃取者，如OCEANMAP、MASEPIE和STEELHOOK。

One of the significant aspects of the threat actor's attacks is the continuous attempt to improve its operational playbook, fine-tuning and tinkering with its approaches to evade detection.

威胁行动者攻击的一个重要方面是不断尝试改进其操作手册，调整和调试其方法以逃避检测。

This includes the addition of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers to carry out scanning and probing activities. Another tactic entails sending spear-phishing messages from compromised email accounts over Tor or VPN.

其中包括添加匿名化层，如VPN服务、Tor、数据中心IP地址和被入侵的EdgeOS路由器来进行扫描和探测活动。另一种策略是使用入侵的电子邮件账户通过Tor或VPN发送针对性网络钓鱼邮件。

"Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites," security researchers Feike Hacquebord and Fernando Merces said.

"Pawn Storm还使用EdgeOS路由器发送针对性网络钓鱼邮件，执行CVE-2023-23397在Outlook中的回调漏洞利用，并在凭证钓鱼网站上代理凭证窃取。"安全研究人员Feike Hacquebord和Fernando Merces说。

"Part of the group's post-exploitation activities involve the modification of folder permissions within the victim's mailbox, leading to enhanced persistence," the researchers said. "Using the victim's email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization."

"该组织的后渗透活动的一部分包括修改受害者邮箱内的文件夹权限，从而增强持久性，"研究人员说。"使用受害者的电子邮件账户，可以通过在受害者组织内部发送其他恶意电子邮件消息来实现横向移动。"

It's currently not known if the threat actor themselves breached these routers, or if it is using routers that were already compromised by a third-party actor. That said, no less than 100 EdgeOS routers are estimated to have been infected.

目前尚不清楚威胁行动者是否入侵了这些路由器，还是使用已经被第三方入侵的路由器。据估计，至少有100台EdgeOS路由器被感染。

Furthermore, recent credential harvesting campaigns against European governments have used bogus login pages mimicking Microsoft Outlook that are hosted on webhook[.]site URLs, a pattern previously attributed to the group.

此外，最近针对欧洲政府的凭证收集活动使用了模仿Microsoft Outlook的伪造登录页面，这些页面托管在webhook[.]site的URL上，这种模式先前被归因于该组织。

An October 2022 phishing campaign, however, singled out embassies and other high-profile entities to deliver a "simple" information stealer via emails that captured files matching specific extensions and exfiltrated them to a free file-sharing service named Keep.sh.

然而，2022年10月的一次网络钓鱼活动专门针对大使馆和其他知名实体，通过电子邮件传递了一个"简单"的信息窃取者，并捕获与特定扩展名匹配的文件，并将其转移到名为Keep.sh的免费文件共享服务中。

"The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations," the researchers said.

"这些重复、粗鲁且具有侵略性的活动的声音淹没了最初入侵的沉默、微妙和复杂性，以及Pawn Storm在入侵受害者组织后可能发生的后渗透行动。"研究人员说。

The development comes as Recorded Future News revealed an ongoing hacking campaign undertaken by the Russian threat actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and academics to redirect prospective victims to credential harvesting pages.

这一发展发生在Recorded Future News披露了俄罗斯威胁行动者COLDRIVER（又称Calisto、Iron Frontier或Star Blizzard）正在进行的网络攻击活动，该活动冒充研究人员和学者，将潜在受害者重定向到凭证收集页面。

原文始发于微信公众号（知机安全）：APT28黑客利用NTLM Relay攻击针对高价值组织