Credential guessing and spearphishing: The attackers used brute-force credential guessing techniques, also known as password spraying, to gain initial access to accounts. This was complemented with targeted phishing emails that directed recipients to fake login pages for government entities or Western cloud email providers. These phishing pages were stored on free web hosting services or on compromised routers.The hackers also sent spearphishing emails with malicious document attachments that distributed malware programs known as HEADLACE and MASEPIE. Targets in Ukraine also received additional malware variants called OCEANMAP and STEELHOOK. Attackers often used DLL search order hijacking to execute these malicious programs on computers. It involves delivering a legitimate program along with a malicious DLL that the program’s code is looking for to execute automatically.
Exploitation of known vulnerabilities: APT28 also exploited software vulnerabilities to gain initial access. For example, the attackers sent specifically crafted Outlook calendar invitations that exploited the CVE-2023-23397 Outlook vulnerability to steal NTLM hashes and credentials.The CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026 flaws in Roundcube, a popular open-source email software package, were exploited to execute arbitrary shell commands on servers. Meanwhile the CVE-2023-38831 WinRAR vulnerability was exploited to execute arbitrary code on computers when users attempted to open specifically crafted archives.
Lateral movement and email spying: Once they compromised a target system, the attackers attempted to perform lateral movement through the network by dumping credentials and using tools that already existed on systems or which are often used for system administration, a technique known as living off the land. This included the Remote Desktop Protocol (RDP), PowerShell, Active Directory Domain Services commands and open-source tools like Impacket and PsExec.”After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions,” according to the advisory. “The actors also conducted reconnaissance of the cybersecurity department, individuals responsible for coordinating transport, and other companies cooperating with the victim entity.”The attackers targeted Office 365 users and email servers to set up persistent email collection from the compromised organizations. This involved manipulating mailbox permissions and enrolling users in multi-factor authentication with devices they controlled.The kind of information they were after included details about shipments to Ukraine, such as point of departure, destination, train/plane/ship numbers, container registration numbers, travel routes and the cargo contents.”In at least one instance, the actors attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.”The attackers abused server data exchange protocols and APIs such as the Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP)to exfiltrate data from email servers. For example, periodic EWS queries were used to collect new emails.”In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine,” according to the advisory. “The actors also used legitimate municipal services, such as traffic cams.”The joint advisory contains extensive indicators of compromise such as file names, IP addresses, email addresses, commands, scripts and legitimate utilities. These could be used for threat hunting and the detection of compromises, but the agencies warn that some of these IOCs might have changed as APT28 has access to an extensive infrastructure and resources.The advisory also includes detection rules and recommendations for network and systems architecture and configuration changes, identity and access management and hardening steps for IP cameras.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3993691/russian-apt28-compromised-western-logistics-and-it-firms-to-track-aid-to-ukraine.html
