Trend Micro has identified new trends in the group's stealth attacks.
A new report from Trend Micro reveals the actions of the Pawn Storm cybercrime group, which has been engaged in hacker attacks on important global organizations since 2004, using a variety of methods. Despite the seemingly outdated methods, including phishing campaigns that have been going on for a decade, Pawn Storm continues to successfully hack thousands of emails.
Trend Micro claims that the group recently switched to attacks using Net-NTLMv2 hashes, trying to penetrate the networks of government, defense and military organizations around the world. The group has been active in Europe, North and South America, Asia, Africa and the Middle East. Hackers persisted by changing the permissions of folders in victims ' mailboxes, which allowed them to move around the network.
Since 2019, cybercriminals have often used brute-force methods to break into email servers and corporate VPN services. The group also used anonymization methods such as VPN services, Tor networks, hacked EdgeOS routers, and free services such as the URL shortening service. Anonymization also applied to phishing emails sent from compromised email accounts via Tor or VPN.
The critical vulnerability CVE-2023-23397 (CVSS score: 9.8), fixed in March 2023, allowed Pawn Storm to conduct Relay attacks on Outlook users. The group used the flaw to send special calendar invitations, triggering a Net-NTLMv2 attack. The campaign continued until August 2023, becoming increasingly sophisticated with scripts hosted on Mockbin and URLs redirecting to PHP scripts on free web hosting domains.
Pawn Storm also exploited the WinRAR vulnerability CVE-2023-38831 (CVSS score: 7.8) for Relay attacks. In late 2023, hackers conducted a phishing campaign to steal credentials, targeting European governments using "webhook" URLs.]site " and VPN IP addresses. In addition to Pawn Storm, several other APT groups used the flaw to attack 130 organizations, successfully seizing traders funds.
In October 2022, Pawn Storm also used an infostiler without a connection to the Command and Control (C2) server. This simple but effective method involved uploading stolen files to a free file sharing site, using shortened URLs for access.
In March 2023, the Microsoft security team identified a critical vulnerability in Microsoft Outlook. Tracked under the identifier CVE-2023-23397, the bug allows attackers to steal Net-NTLMv2 hashes and gain access to user accounts. A special danger lies in a specially prepared email message, when opened, the user's Net-NTLMv2 hash is transmitted to the attacker.
A new report from Trend Micro reveals the actions of the Pawn Storm cybercrime group, which has been engaged in hacker attacks on important global organizations since 2004, using a variety of methods. Despite the seemingly outdated methods, including phishing campaigns that have been going on for a decade, Pawn Storm continues to successfully hack thousands of emails.
Trend Micro claims that the group recently switched to attacks using Net-NTLMv2 hashes, trying to penetrate the networks of government, defense and military organizations around the world. The group has been active in Europe, North and South America, Asia, Africa and the Middle East. Hackers persisted by changing the permissions of folders in victims ' mailboxes, which allowed them to move around the network.
Since 2019, cybercriminals have often used brute-force methods to break into email servers and corporate VPN services. The group also used anonymization methods such as VPN services, Tor networks, hacked EdgeOS routers, and free services such as the URL shortening service. Anonymization also applied to phishing emails sent from compromised email accounts via Tor or VPN.
The critical vulnerability CVE-2023-23397 (CVSS score: 9.8), fixed in March 2023, allowed Pawn Storm to conduct Relay attacks on Outlook users. The group used the flaw to send special calendar invitations, triggering a Net-NTLMv2 attack. The campaign continued until August 2023, becoming increasingly sophisticated with scripts hosted on Mockbin and URLs redirecting to PHP scripts on free web hosting domains.
Pawn Storm also exploited the WinRAR vulnerability CVE-2023-38831 (CVSS score: 7.8) for Relay attacks. In late 2023, hackers conducted a phishing campaign to steal credentials, targeting European governments using "webhook" URLs.]site " and VPN IP addresses. In addition to Pawn Storm, several other APT groups used the flaw to attack 130 organizations, successfully seizing traders funds.
In October 2022, Pawn Storm also used an infostiler without a connection to the Command and Control (C2) server. This simple but effective method involved uploading stolen files to a free file sharing site, using shortened URLs for access.
In March 2023, the Microsoft security team identified a critical vulnerability in Microsoft Outlook. Tracked under the identifier CVE-2023-23397, the bug allows attackers to steal Net-NTLMv2 hashes and gain access to user accounts. A special danger lies in a specially prepared email message, when opened, the user's Net-NTLMv2 hash is transmitted to the attacker.
