Friday, December 8, 2023

Fighting Ursa Aka APT28: Illuminating a Covert Campaign

Fighting Ursa, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, or Sednit, is a notable cyber threat group associated with Russia's military intelligence. This group has been actively engaging in cyber espionage activities, focusing on targets that align with Russian interests, particularly those related to military objectives. Here are some details about their recent activities:

  • Targeted Campaigns Using CVE-2023-23397: Over the past 20 months, Fighting Ursa has conducted three campaigns targeting over 30 organizations. These organizations are of strategic intelligence value, and many are associated with NATO. The group exploited a critical vulnerability in Microsoft Outlook (CVE-2023-23397) to carry out these covert operations. This exploitation demonstrates the group's sophistication in leveraging software vulnerabilities to achieve its objectives.
  • Scope of Targeted Organizations: The campaigns orchestrated by Fighting Ursa have affected at least 30 organizations across 14 countries. Many of these organizations are part of NATO, including a NATO Rapid Deployable Corps. This widespread targeting across multiple nations underlines the group's extensive reach and the potential impact of their operations on international security and diplomatic relations.
  • APT28's Cyber Espionage Activities: Fighting Ursa's activities are a clear example of state-sponsored cyber espionage. The group's consistent targeting of entities of strategic interest to Russia and its use of advanced cyber techniques reflect the broader trend of nation-states leveraging cyber capabilities for intelligence and geopolitical gains.

In summary, Fighting Ursa (APT28) represents a significant threat in the cyber landscape, particularly for organizations aligned with NATO or those holding strategic value from a military or intelligence standpoint. Their sophisticated methods and focus on exploiting critical vulnerabilities emphasize the need for robust cybersecurity measures and international cooperation in countering such threats.

IoC

    CVE

  • CVE-2023-23397

    IPv4

  • 61.14.68.33
  • 50.173.136.70
  • 5.199.162.132
  • 42.98.5.225
  • 24.142.165.2
  • 185.132.17.160
  • 181.209.99.204
  • 168.205.200.55
  • 85.195.206.7

REFERENCES

  • https://otx.alienvault.com/pulse/6572250f298d2a69b238cf72

TAGS

CVE-2023-23397, Microsoft Outlook, Ursa, APT28, NTLM

at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

En el contexto creciente de convergencia entre sistemas industriales, inteligencia artificial (IA) y digitalización, la gestión del riesgo c...