December 5, 2023 at 07:22PM
Fancy Bear, a Russian cyber-spy group, has been targeting US and European agencies using patched Outlook and WinRAR flaws for phishing campaigns. Microsoft and Polish Cyber Command observed unauthorized access to high-value email accounts. Over 10,000 emails were used to exploit the vulnerabilities. Proofpoint expects continued exploitation of unpatched systems by attackers.
Meeting Takeaways:
1. Fancy Bear, associated with the Russian GRU, has conducted large-scale phishing campaigns targeting US and European government, defense, and aerospace agencies since March.
2. The group exploited two patched vulnerabilities: CVE-2023-23397 in Microsoft Outlook and CVE-2023-38831 in WinRAR.
3. Microsoft patched the Outlook vulnerability in March and later issued another fix, warning of prior wild exploitation.
4. Fancy Bear (tracked by Microsoft as Forest Blizzard and formerly known as Strontium) has been actively exploiting the Exchange vulnerability (CVE-2023-23397) to access email accounts secretly.
5. Proofpoint observed over 10,000 phishing emails from Fancy Bear since late summer 2023, targeting a range of sectors across North America and Europe.
6. Polish Cyber Command confirmed Fancy Bear compromised email accounts belonging to Polish organizations, modifying permissions to maintain unauthorized mailbox access.
7. CVE-2023-23397 enables attackers to access victims’ Net-NTLMv2 hash and authenticate themselves through tailored emails.
8. Fancy Bear utilized compromised email accounts to send phishing emails with attachments that exploit the vulnerabilities to execute arbitrary code or establish unauthorized access.
9. Proofpoint also noted Fancy Bear’s occasional phishing attempts on higher education, construction, and consulting sectors.
10. The security community anticipates Fancy Bear will continue to exploit these vulnerabilities in unpatched systems, reflecting a shift toward credential-oriented access rather than relying on compiled malware.
Action Items:
1. Organizations should ensure that all systems are updated with the latest patches for CVE-2023-23397 and CVE-2023-38831.
2. Heighten vigilance for phishing campaigns, specifically those resembling the described tactics used by Fancy Bear.
3. Investigate abnormal mailbox permissions and modifications to secure any compromised accounts and prevent unauthorized access.
4. Educate employees on cybersecurity best practices, including being skeptical of emails with unexpected attachments or requests.
5. Encourage proper and timely patch management strategies to prevent exploitation of known vulnerabilities.
6. Consider deploying additional security measures (e.g., advanced threat detection) to identify and mitigate such cyber espionage activities.
7. If evidence of Fancy Bear tactics is detected, immediately initiate incident response protocols to contain and remediate any potential breaches.