Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Moscow Military Hackers Used Microsoft Outlook Vulnerability

APT28 Used Hacked Ubiquiti Routers for Hashed Password Relay Attacks
Moscow Military Hackers Used Microsoft Outlook Vulnerability
Russian hackers used a vulnerability in Microsoft Outlook to obtain hashed passwords, warned the FBI. (Image: Shutterstock)

A campaign by Russian military intelligence to convert Ubiquiti routers into a platform for a global cyberespionage operation began as early as 2022, U.S. and foreign intelligence agencies said.

See Also: Advanced Cyberthreat Intelligence Against The 2018 Threat Landscape

The U.S. federal government earlier this month disrupted a botnet built from hundreds of Ubiquiti routers by a hacking unit of Russian military's Main Intelligence Directorate, known as the GRU. The Moscow threat actor, known as APT28, Fancy Bear and Forest Blizzard or Strontium, used infected routers located in the United States as proxies for hacking operations (see: US Disrupts Russian Military Intelligence Botnet).

In a Tuesday advisory published by the FBI, domestic and foreign intelligence agencies said the hackers behind the campaign had installed protocol poisoning tools on compromised routers to execute an NTLM relay attack. The attacks exploited a zero-day that Microsoft had patched in March 2023. The vulnerability, tracked as CVE-2023-23397, allowed hackers to trigger Windows into transmitting hashed passwords by sending a backdated Microsoft Outlook appointment request containing a parameter for the sound the email client should play when the appointment is overdue. But rather than playing a cheery sound effect, the parameter allowed hackers obtain the victim's login name and their password hash, which they reused.

Although Microsoft issued multiple fixes for the vulnerability, FBI investigators said Russian hackers have found unpatched systems to hack.

Russian hackers targeted a slew of industries including defense, oil and gas, technology, government and manufacturing across a host of countries including Ukraine, Poland, Lithuania, Turkey and the Czech Republic.

The FBI believes that APT28 hackers piggybacked on a criminal botnet dubbed Moobot that had already infected some Ubiquiti routers. The New York router manufacturer did not immediately return a request for comment.

Russian hackers' use of hacked routers is a characteristic of Kremlin hacking as well as Chinese state hacking, said Dan Black, a cyberespionage analyst at threat intelligence firm Mandiant. "They use them to proxy traffic to and from targeted networks while staying under the radar," he said.

The advisory warns that rebooting a compromised Ubiquiti router won't purge it of Russian malware. Rather, system administrators must perform a hard reset and should upgrade to the latest firmware.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.