Pawn Storm’s Net-NTLMv2 Stealth Assault Revealed


Pawn Storm, an advanced persistent threat (APT), also known as APT28, has targeted high-value entities on a global scale, employing a range of techniques since at least 2004.

Despite relying on seemingly outdated methods such as decade-old phishing campaigns, the group continues to compromise thousands of email accounts.

According to an advisory published today by Trend Micro researchers Feike Hacquebord and Fernando Merces, the group has recently been involved in Net-NTLMv2 hash relay attacks, attempting to force its way into government networks, military and defense services from around the world.

Between April 2022 and November 2023, Pawn Storm is reportedly focused on launching NTLMv2 hash relay attacks, targeting government ministries responsible for foreign affairs, energy, defense, transportation, and various other sectors.

The group was active in Europe, North America, South America, Asia, Africa and the Middle East. He demonstrated persistence by changing folder permissions in victims’ mailboxes, allowing lateral movement.

Pawn Storm has strengthened its operational security in recent years, gradually changing tactics. Brute force credential attacks on corporate email servers and VPN services have been common since 2019.

Learn more about Pawn Storm: Russian group APT28 changes course to probe email servers

In recent years, the group has also used layers of anonymization such as VPN services, Tor, compromised EdgeOS routers, and free services such as URL shorteners. The use of anonymization layers extends to spear phishing emails sent from compromised email accounts accessed through Tor or VPN exit nodes.

A critical vulnerability, CVE-2023-23397, patched in March 2023, allowed Pawn Storm to carry out hash relay attacks on Outlook users. By exploiting this flaw, the group sent malicious calendar invitations, triggering the Net-NTLMv2 hash relay attack.

The campaign extended through August 2023, evolving with more elaborate methods including scripts hosted on Mockbin and URLs redirecting to PHP scripts on free web hosting domains.

Pawn Storm diversification includes use of WinRAR vulnerability CVE-2023-38831 for hash relay attacks. In late 2023, a credential phishing campaign targeted European governments, using webhook(.) site URLs and VPN IP addresses.

In October 2022, Pawn Storm employed a command and control (C2) serverless information stealer. This crude but effective method involved uploading stolen files to a free file-sharing service, using shortened URLs to access them.

In the Trend Micro advisory, Hacquebord and Merces warned that Pawn Storm remains aggressive despite its two-decade history, adapting loud and aggressive tactics alongside advanced and stealthy methods.

Network defenders are encouraged to take advantage of the indicators of compromise provided in the research to strengthen their security against the persistent threats of Pawn Storm.

Leave a comment