APT28 has been scanning vulnerable email servers for more than a year

guest · Mar 20, 2020

APT28 has been scanning vulnerable email servers for more than a year
Scans have been observed against webmail and Microsoft Exchange Autodiscover servers
March 20, 2020
https://www.zdnet.com/article/apt28...ulnerable-email-servers-for-more-than-a-year/

For the past year, one of Russia's top state-sponsored hacking units has spent its time scanning and probing the internet for vulnerable email servers, according to a report published yesterday by cyber-security firm Trend Micro.

The report deals with the activities of APT28, also known as Fancy Bear, Sednit, and Pawn Storm.
SCANNING THE INTERNET FOR VULNERABLE SERVERS
However, in a report published yesterday by Trend Micro, the cyber-security firm's analysts have spotted an important change in the group's operations.

While spear-phishing and malware have remained on the menu, Trend Micro says APT28 has also begun last year conducting scans of the entire internet, in search of vulnerable webmail and Microsoft Exchange Autodiscover servers -- on TCP ports 445 and 1433.
Click to expand...

TAKING OVER EMAIL ACCOUNTS TO LAUNCH PHISHING OPERATIONS
But on top of server scans, APT28 has also been busy with another scheme, Trend Micro said.

Trend Micro believes APT28 is phishing the employees of legitimate companies and stealing their login credentials for corporate email accounts, or performing brute-force attacks to guess email account passwords.
Once they have credentials in hand, through a network of VPN servers, APT28 operators connect to the compromised accounts using the stolen passwords.
Click to expand...

Trend Micro: "Pawn Storm in 2019 - A Year of Scanning and Credential Phishing on High-Profile Targets" (PDF - 710 KB):
https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf

guest · Mar 20, 2020

Probing Pawn Storm
Cyberespionage Campaign Through Scanning, Credential Phishing and More
https://www.trendmicro.com/vinfo/in...through-scanning-credential-phishing-and-more

Pawn Storm, an ongoing cyberespionage campaign with activities that can be traced as far back as 2004, has gained notoriety after aiming cyber-attacks at defense contractor personnel, embassies, and military forces of the United States and its allies, as well as international media and citizens across different civilian industries and sectors, among other targets.

This newer operation has employed a number of attack methods, including the use of spear-phishing emails against high-profile targets, a staple in Pawn Storm's arsenal. Here are some of the many threats the group has wielded against its targets:

• Open Authentication (OAuth) abuse for compromising targets in advanced social engineering schemes
• Tabnabbing for persuading users into submitting credentials to known (impersonated) sites [...]
We have uncovered more information on the group's current attack methods, which primarily centered on scanning for servers and credential phishing among high-profile entities.
Click to expand...

Log in or Sign up

APT28 has been scanning vulnerable email servers for more than a year

guest Guest

guest Guest

Log in or Sign up

APT28 has been scanning vulnerable email servers for more than a year

guest Guest

guest Guest

Useful Searches