Security News > 2023 > December > Fancy Bear goes phishing in US, European high-value networks
Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according to Microsoft.
The US and UK governments have linked this state-sponsored gang to Russia's military intelligence agency, the GRU. Its latest phishing expeditions look to exploit CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.
On Monday, Microsoft updated its March guidance for organizations investigating attacks exploiting this Exchange hole, and reported that Fancy Bear has been "Actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers."
Specifically, more than 10,000 emails that Proofpoint has attributed to Fancy Bear were sent during the late summer.
These phishing emails contained an appointment attachment, using a TNEF file disguised as a CSV, Excel file, or Word document.
Lesnewich told us "The payloads, tactics, and techniques used in these campaigns reflect TA422's ultimate shift away from compiled malware for persistent access on targeted networks to lighter-weight, credential-oriented access." .
News URL
https://go.theregister.com/feed/www.theregister.com/2023/12/06/fancy_bear_phishing_microsoft/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-23 | CVE-2023-38831 | Unspecified vulnerability in Rarlab Winrar RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. | 7.8 |
| 2023-03-14 | CVE-2023-23397 | Authentication Bypass by Capture-replay vulnerability in Microsoft 365 Apps, Office and Outlook Microsoft Outlook Elevation of Privilege Vulnerability | 9.8 |