CyberWire Daily - Shedding light on fighting Ursa. [Research Saturday]
Episode Date: December 16, 2023Host of the CyberWire Daily podcast segment Threat Vector, David Moulton sits down with Mike "Siko" Sikorski from Palo Alto Networks Unit 42 to discuss their research on "Fighting Ursa Aka APT28: Illu...minating a Covert Campaign." Unit 42 just published new threat intelligence on Fighting Ursa (aka APT28), a group associated with Russia's military intelligence, on how they are exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) to target organizations in NATO member countries, Ukraine, Jordan, and the UAE. These organizations are of strategic importance in defense, foreign affairs, economy, energy, transportation, and telecommunications. The research can be found here: Fighting Ursa Aka APT28: Illuminating a Covert Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Today on Research Saturday,
our Threat Vector host, David Moulton,
is bringing us an exclusive interview with Unit 42's Michael Sikorsky to discuss Russian APT Fighting URSA, otherwise known as APT-28,
a group linked to Russia's military intelligence,
exploiting a previously unknown vulnerability in Microsoft Outlook.
The conversation focuses on the intricacies of these campaigns,
the nature of the targeted organizations,
and the broader implications of such a pervasive cyber threat.
I'm here with Mike Sikorski, the CTO and VP of Engineering for Uniforty2, to talk about new threat intelligence on Fighting Ursa, a.k.a. APT28, a group associated with Russia's military intelligence, on how they're exploiting a Microsoft Outlook vulnerability, CVE-2023-23397, to target organizations in NATO member countries like Ukraine, Jordan, and the UAE.
These organizations are of strategic importance in defense,
foreign affairs, economy, energy, transportation, and telecommunications.
Sickle, thanks for joining me today. The UNO42 team has been busy lately publishing a lot on APTs.
And today I wanted to talk to you about the Russian APT Fighting IHRSA and the covert campaign that our researchers uncovered.
First, give our listeners a snapshot of Fighting IHRSA.
Yeah, so Fighting IHRSA, they're also popular. That's what we call them.
Others also call them APT-28, as well as Fancy Bear. And they are well known for
their focus on targets of Russian interest. And they have been attributed specifically to
Russia's General Staff Main Intelligence Directorate, also known as the GRU.
And that's a military intelligence unit within the government there.
One of the things that the team published on was CVE-2023-23397.
And I want to know, why is that CVE, that vulnerability, so significant?
Yeah, so this vulnerability was in Microsoft's Outlook product.
Yeah, so this vulnerability was in Microsoft's Outlook product.
And we actually observed this group using this vulnerability over a long period of time, the past 20 months, in fact, to target several different entities and nations of strategic value to Russia.
And the fact that it was so long, it was before it was actually patched by Microsoft.
So they had this before, while it was a zero day, they were leveraging it.
Then it was discovered and subsequently patched by Microsoft and then shipped out as a patch.
And furthermore, they still continue to leverage this vulnerability long into the future, which shows you that not everybody has made the patches that they need to in their software.
Now, getting into the technical details on
this vulnerability in Outlook,
it is a privilege escalation vulnerability.
I think the most concerning aspect of vulnerability is that
exploitation does not require
any user interaction at all.
In fact, what it does is it sends you a meeting invite.
And then when that meeting invite eventually comes to be
and it actually triggers an alert to the normal ding you get
when you have a calendar reminder,
that's when the actual exploitation takes place.
reminder, that's when the actual exploitation takes place.
And it ends up causing a leakage of hashes that are called NTLM hashes that can be leveraged by an attacker to get privileges that they don't actually have.
Also, the scary part of this is it typically is happening inside someone's network. So this is happening,
you know, either local on someone's computer or on the place where they're doing email.
And it's hard to tell if somebody is vulnerable to this from the outside. So it's more about,
you know, are they patched or not on the inside? And clearly not a lot of people have made the
patches here. Can you talk about the lot of people have made the patches here.
Can you talk about the types of organizations or countries that were targeted by Fighting IHRSA and why? So they've been targeting organizations, NATO organizations, and other nations as well.
Obviously, Ukraine is one of them. But then they actually are also targeting members of NATO. And the attackers
targeted at least one NATO country. And also outside of the government organizations, they
focused very much on targeting critical infrastructure-related organizations with
ties to energy, transportation, telecommunications, and anything in the military
industrial base. You know, targeted organizations within those countries, we're talking
ministries of defense, ministries of foreign affairs, ministries of the economy, and then
even pipeline operations and energy production as well. Given the targets, how dangerous is a no-touch exploit like this?
It's pretty scary, right? The ability to compromise somebody with a simple calendar invite
is why this is such a critical vulnerability. I mentioned that this vulnerability can be leveraged
to get somebody's credentials, right? And you get their access. But what that also enables you to do
means that you then have access to somebody's inbox. What can you do from there? right, and you get their access. But what that also enables you to do means that you then have access to somebody's inbox.
What can you do from there?
Well, then you can further spread this same vulnerability to others within the organization.
And right now, most of the attacks are going to be coming from an email address outside
your organization in order to trigger that calendar invite inside your organization.
However, if somebody gets access inside and onto somebody's email account, they could then send
invites all over the company from that person, which give it a lot more likelihood that it gets
undetected. And then they could use that to leverage and compromise people
throughout the entire organization. In other words, all they need to do is be successful with
one of these exploits in your network, and then they could leverage that to cause a much more
massive compromise and get more higher value targets across your company. How can organizations
protect themselves against something that sounds so sophisticated? Well, number one, there's a patch
out. So the first thing you need to do is upgrade your devices, upgrade your Outlook, patch your
everything that you have that's Microsoft for mail here, and you'll be good to go.
That's first step.
The other thing you could do is make sure
that you have things in place.
For example, when are you accepting meeting invites
from outside the network?
And can you detect this otherwise?
And there are detections that we have put in place
in our security products that will realize that this is coming in and looking in the way it does, where there is an actual signature to be able to detect this type of attack as well.
So a combination of patching and a combination of looking for evidence that this was in your network, I think is another good thing. For example, can you historically go through the inboxes on your network to see if maybe
somebody was infected with this earlier in time? And then make sure that, you know,
if it did, you actually open up an investigation and see if anything else has happened on your network.
and on your network.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization
with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Stick around. We'll be right back.
What about limiting the lateral movement if the attack is successful?
Yeah, it's all about defense in depth, right?
So, you know, I always like to reference another Russian attack, which was SolarWinds.
You know, I always like to reference another Russian attack, which was SolarWinds. In that case, it was APT29, a slightly different group within the Russian government.
However, when they did SolarWinds, you know, it was catchable by everybody, even though it was a great backdoor into networks.
The pivot from that fancy supply chain backdoor to start moving laterally across the network was something everybody could have detected.
It resulted in malware dropped on the system and even activity on the network that could have been detected.
So there was a lot of misses when it comes to these things that aren't just the initial scary attack.
In this case, a zero-day vulnerability and outlook,
in SolarWinds' case, a supply chain attack,
those things are hard to protect against.
Having zero-day protection at all times,
having supply chain protection at all times
is not necessarily realistic, right?
And people also have priorities
on how fast they can patch these things
even when there is a patch released.
And that's why defensive depth is really important because you want to catch the lateral movement, the other activity they're doing on the network, and really figure that out as quick as possible.
Because it's really difficult to protect against all these different types of attacks, especially zero days and supply chain.
What lessons can be learned by the handling of this vulnerability by the various stakeholders?
I think the big thing is that it's still being leveraged by Fighting IRISA
to have success at compromising organizations,
which means that we're still behind the curve when it comes to,
you know, this isn't a zero day anymore, and yet they're still using it,
which means they're still having success with it
because they would have pivoted to something else
if you have a zero day
that's amazing for them
as an attacker
you can leverage that, it's not patched
everybody's sitting ducks
but even after a patch has gone out
they've spent a lot of time still using it
which means that it's still successful
and who knows how much longer it will be. And therefore, it's, you know, it's a lesson in we're not still not well
prioritizing the rapid speed at which we're patching things. And so, you know, that's,
you know, that's the lesson here.
Sickle, what are the implications of these cyber attacks for NATO member countries?
I think all the NATO countries, you know, we've actually discovered research earlier in the year from Russia where they were targeting the embassies and missions within Ukraine.
This is a very similar scenario here where they're taking a look at the nato countries who might be interacting
in the region they might be participating or aiding ukraine and making sure they get their
hooks in as many different places they can so they can have the best outcome possible for themselves
in that war uh so you know therefore as a country, you've got to assume that groups like Fighting
Airs are coming after you and already have come after you. And therefore, it's really important
to kind of not just patch, but to actually go back and hunt and look through and make sure
that they're not currently in your network. What future trends might we expect in state-sponsored
cyber warfare and intelligence gathering? is the insider threat capability, right, where they embed somebody in an organization and
leverage that to be able to conduct espionage or otherwise.
And then the other is the supply chain.
I think we've already seen Russia have success with SolarWinds, right?
Unfortunately for them, they lost that capability going into the war in Ukraine. But it's not far-fetched that other nation states are trying their best to mount or build up another supply chain attack of similar scale.
So those are two of the areas that I would really see as being growing concern.
And therefore, focusing on, you can't really monitor those things at the perfect
level, right? You can't see every single thing your employees are doing. You can't look at every
single line of code of the supply chain coming into your network, all that software that you're
installing. It's unrealistic to kind of go through it all to find a few lines of code that are
actually the backdoor for a nation-state threat. And instead,
you really have to focus on what are the things you can do. Well, you could monitor, you could
do defensive depth, you could apply zero trust, you could sift through alerts better with using
artificial intelligence. And so those are the types of areas that I see it going.
Mike, last question before I let you go. Given the targeting of industrial systems,
what is the likelihood of real-world damage or disruption? I think it's possible. I mean,
I think that Russia was turning the lights off in Ukraine well before this war happened. In fact,
they used it as sort of a playground to do things like that. I think there's still some surprise in
the world that, hey, the lights haven't gone off there or worldwide to an extent that we really thought would happen if they unleashed the full capability they have.
Especially seeing the capability they had firsthand going into Ukraine with SolarWinds, if they had a capability like that what is the
full full magnitude that they could so you know the fact that they are targeting industrial control
systems energy plants you name it uh to be able to with this attack with this vulnerability I think
it's possible um and I know that there's a lot of growing concern for that. But the fact that we haven't seen it yet
is somewhat a surprise
relative to how much we've seen targeted.
Sicko, thanks for going deeper
on the threat intel Unit 42 published
on Fighting Ursa
with the Research Saturday audience.
And we'll be following up on this research
and quite a bit of other research
that your team has published
out on the Unit 42 Threat Research Center on
Threat Vector. If you're interested in reading the full brief Sigil discussed today, go to
unit42.paloaltonetworks and look for Fighting IHRSA, aka APT28, Illuminating a Covert Campaign. That's Mike Sikorski.
He was interviewed by David Moulton, host of the Threat Factor segment,
which you can hear every other Thursday on the Cyber Wire Daily podcast.
We hope you will check that out. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks.
N2K Strategic Workforce Intelligence optimizes the value
of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
with mixing by Elliot Peltzman.
Our executive producers
are Jennifer Ivan and Brendan Karpf.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.