@ndma 05 May 2023

Threat Actor

APT 28

Description

The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.

Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like tasklist and systeminfo, and exfiltrate the details via an HTTP request to a Mocky API. To trick the targets into running the command, the emails impersonate system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees' real names and initials.

CERT-UA is recommending that organizations restrict users' ability to run PowerShell scripts and monitor network connections to the Mocky API. The disclosure comes weeks after the APT28 was tied to attacks exploiting now-patched security flaws in networking equipment to conduct reconnaissance and deploy malware against select targets.

CVE-2023-23397, CVSS score: 9.8 is linked to the success of this attack:

Reference

https://thehackernews.com/2023/05/apt28-targets-ukrainian-government.html https://thehackernews.com/2023/03/microsoft-warns-of-stealthy-outlook.html https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397