Pawn Storm’s Stealthy Net-NTLMv2 Assault Revealed

Pawn Storm, an advanced persistent threat (APT) actor also known as APT28, has been targeting high-value entities globally, employing a range of techniques since at least 2004. 

Despite relying on seemingly outdated methods like decade-old phishing campaigns, the group continues to compromise thousands of email accounts. 

According to an advisory published today by Trend Micro researchers Feike Hacquebord and Fernando Merces, the group has recently been involved in Net-NTLMv2 hash relay attacks, attempting to brute-force its way into government, defense and military networks worldwide.

Between April 2022 and November 2023, Pawn Storm reportedly focused on launching NTLMv2 hash relay attacks, targeting government departments dealing with foreign affairs, energy, defense, transportation and various other sectors. 

The group was active in Europe, North America, South America, Asia, Africa and the Middle East. It demonstrated persistence by modifying folder permissions in victims’ mailboxes, enabling lateral movement.

Pawn Storm has enhanced its operational security in recent years, gradually changing its tactics. Brute-force credential attacks on mail servers and corporate VPN services have been common since 2019. 

Read more about Pawn Storm: Russian APT28 Group Changes Tack to Probe Email Servers

In recent years, the group has also employed anonymization layers like VPN services, Tor, compromised EdgeOS routers and free services such as URL shorteners. The use of anonymization layers extends to spear-phishing emails sent from compromised email accounts accessed over Tor or VPN exit nodes.

A critical vulnerability, CVE-2023-23397, patched in March 2023, allowed Pawn Storm to conduct hash relay attacks on Outlook users. Exploiting this flaw, the group sent malicious calendar invites, triggering the Net-NTLMv2 hash relay attack.

The campaign extended to August 2023, evolving with more elaborate methods, including scripts hosted on Mockbin and URLs redirecting to PHP scripts on free web hosting domains.

Pawn Storm’s diversification includes using the WinRAR vulnerability CVE-2023-38831 for hash relay attacks. A credential phishing campaign in late 2023 targeted European governments, utilizing webhook[.]site URLs and VPN IP addresses.

In October 2022, Pawn Storm employed an information stealer without a command-and-control (C2) server. This crude yet effective method involved uploading stolen files to a free file-sharing service, using shortened URLs for access.

In the Trend Micro advisory, Hacquebord and Merces warned that Pawn Storm remains aggressive despite its two-decade history, adapting loud and aggressive tactics alongside advanced and stealthy methods. 

Network defenders are urged to leverage indicators of compromise provided in the research to bolster their security against Pawn Storm’s persistent threats.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button