New Pawn Storm Tactics
Over the years, Trend Micro has been monitoring the activities of the cybercriminal group Pawn Storm, also known as Fancy Bear and APT28. Studying the evolution of attack methods, we discovered a new tactic adopted by the hackers from Pawn Storm in 2019. In the report Probing Pawn Storm: Cyberespionage Campaign Through Scanning, Credential Phishing and More we share the results of our work, and in this article we will talk about the most interesting discoveries.
About Pawn Storm / APT28 / FancyBear
Pawn Storm is a highly professional and ambitious hacker group that often chooses US troops, US embassy and defense contractors and their allies, including government agencies, as their targets. The objects of attacks also became international media and political figures from different countries.
For all the world media, Pawn Storm embodies “Russian hackers.” The group has claimed responsibility for breaking the World Anti-Doping Agency (WADA) and the publication of doping tests of American athletesascribed to her attacks on US Democratic Party servers, hacks of the German parliament, the French television network TV5Monde, the International Association of Athletics Federations and a number of other high-profile episodes.
Our first study on this group, Operation Pawn Storm: Using Decoys to Evade Detection, released in October 2014. Since then we have been constantly observing her actions.
Pawn Storm Methods
Pawn Storm hackers do not trade for trifles and use the most effective vectors to achieve the goal:
- Watering Attacks (Watering Hole) – a compromise of sites often visited by the target audience.
- Malicious Application OAuth Abuse to compromise goals in complex social engineering schemes:
OAuth compromise scheme. Source: Trend Micro
- Private exploits exploiting both 0day and well-known vulnerabilities to infect targets.
- Custom designed iOS spyware.
- Substitution of tabs in the browser (tabnabbing) to convince the victim to enter credentials on copies of well-known sites.
Despite the high effectiveness of proven methods, Pawn Storm continues to look for new ways to conduct cyber attacks.
One of the notable changes in the group’s actions is that since May 2019, Pawn Storm began to use compromised emails of high-ranking officials to send phishing emails aimed at stealing credentials.
Phishing emails using new tactics. Source: Trend Micro
The criminals connected to the dedicated server through the OpenVPN commercial provider, then from this host to the paid email service using the stolen credentials, and sent phishing emails through it.
This Pawn Storm tactic was used from 2019 to 2020. Most of the compromised postal records belonged to employees of Middle Eastern defense companies, mainly located in the UAE.
Distribution of compromised mail servers by country from May to December 2019. Source: Trend Micro
The reason Pawn Storm members switched to using compromised Middle East defense mail accounts is unclear. Possible reasons:
- increasing the efficiency of mailings thanks to the authority of the sender, which is of particular importance in the cultural traditions of the East;
- sending from a legitimate mail service on behalf of a real user allows you to bypass spam filtering systems.
Perhaps the effectiveness of the tactics was so high that the loss of a compromised account after the mailing ceased to matter.
In addition to the defense departments, the targets of the attacks included banks, design bureaus, government organizations and airlines.
Distribution of compromised mail services by industry from May to December 2019. Source: Trend Micro
To compromise mailboxes, the group used traditional methods from malware and phishing sites to simple password cracking.
An additional factor that facilitated the collection and compromise of mail addresses was the vulnerability of Microsoft Exchange servers.
Retrieving information from vulnerable Exchange servers
Many large companies use the Microsoft Exchange server to organize mail exchanges, so the vulnerabilities CVE-2019-1084, CVE-2019-1136 and CVE-2019-1137 became a real gift for cybercriminals:
- CVE-2019-1084 allows attackers to create a display name with non-printable characters and gain access to confidential information;
- CVE-2019-1136 – escalation of privileges, which, among other things, gives access to the mailboxes of server users;
- CVE-2019-1137 enables XSS attacks and arbitrary code execution in the context of the current user. To do this, just send a specially created request to the Exchange server.
The fact that Pawn Storm used these vulnerabilities to compromise accounts is evidenced by the large-scale scanning of vulnerable Exchange servers, recorded by Trend Micro in 2019. Most of the scanning requests checked TCP ports 443 (HTTPS), 143 and 993 (IMAP), 110 and 995 (POP3), 465 and 587 (SMTP).
The data collected contains requests to hundreds of mail servers around the world. The purpose of the scan was to search for vulnerable systems, collect email addresses for later compromise and use in phishing campaigns.
Among the scanned targets are defense companies in Western Europe, military and government agencies in South America and the Middle East, banks, oil and IT companies, law firms and political parties, as well as universities. Surprisingly, several private schools from France and Great Britain, and even a kindergarten from Germany, were included in the list of goals.
Scanning MS SQL Servers and Directory Services
In 2019, MS SQL Server discovered the RCE vulnerability CVE-2019-1068, which also did not escape the attention of Pawn Storm. From November to December 2019 from the IP address 185.245.85[.]178, which hosted cyber grouping phishing sites, port 445 and 1433 were scanned. In total, about 65 thousand and 15 thousand requests were recorded during this period, respectively, most of which came from servers in Europe. Presumably, these were attempts to detect vulnerable MS SQL and Directory Services servers.
Committed attempts to scan to port 445. Source: Trend Micro
Reported attempts to scan to port 1433. Source: Trend Micro
How We Watch Phishing Campaigns
Even professional criminals make mistakes that allow you to track their activities. In 2017, we noticed that Pawn Storm members regularly use several domain names in their spam mailings. They sent phishing messages to dignitaries who used free email services such as Gmail and Outlook.com, but for some reason the group did not register these domain names. By registering them for ourselves, we got the opportunity to collect a large amount of interesting information about the mailings produced by Pawn Storm. All that was required for this was to create a DNS server for each of the domains and configure DNS SPF for them.
To protect against spam, mail servers check the SPF – Sender Policy Framework – to make sure that the connected host has the right to send letters on behalf of the domain that it represents.
A fragment of the protocol for interacting with the mail server during the Pawn Storm phishing attack. Source: Trend Micro
By processing such requests for domains used by criminals, we tracked their activity with passive mode with minimal effort.
The configuration that was used to monitor the Pawn Storm mailing lists. Source: Trend Micro
During the observation, we recorded mass mailings to major US email providers, Russian and Iranian service providers.
Unfortunately, in the summer of 2019, the group began to carry out its mailings using the abstract server.com domain name, abandoning the domain names that helped us to monitor it.
Conclusions and recommendations
We have been watching Pawn Storm since 2014 and expect the group to continue its criminal activities, creating security threats to organizations and entire states. In this regard, we consider it necessary to propose measures that should be applied to protect against cyber attacks:
- Principle of least privilege: limit traffic, allow only necessary services, disable obsolete or unnecessary.
- Keep track of patches and fix packs: Update OSes and applications, create patch management policies, and consider using virtual patches for unknown vulnerabilities.
- Keep track of infrastructure: Firewalls are no longer enough to feel safe – use intrusion detection and prevention systems that check traffic in real time and automatically disable vulnerable components.
- Implement Two-Factor Authentication everywhere – in corporate mail, network accounts of staff members and outsourcers.
- Train staff: Awareness of phishing techniques and common attack vectors in combination with safe behavior training will significantly increase the company’s security.
- Keep track of data – organize regular backup and encryption of confidential information, systematically check access rights to it.