Pawn Storm (also known as APT28 and Forest Blizzard) is an advanced persistent threat (APT) actor that shows incessant and lasting repetitions in its tactics, techniques, and procedures (TTPs). The group targets organizations dealing with foreign affairs, energy, defense, and transportation, as well as organizations involved with labor, social welfare, finance, parenthood, and even local city councils. Pawn Storm employs a wide range of tools to hide their tracks, including VPN services, Tor, compromised routers, and hacked email accounts. The group has been using brute-force attacks since 2019 to access corporate and government accounts. Pawn Storm also exploits vulnerabilities like CVE-2023-23397 in Outlook and CVE-2023-38831 in WinRAR to steal Net-NTLMv2 hashes for use in further attacks. Defenders can use the indicators of compromise listed in the report to check if their organization has been targeted. Author: AlienVault
Related Tags:
Central African Republic
hash theft
spear-phishing
brute-force
information stealer
targeted attack
T1557
CVE-2023-23397
Transportation
Associated Indicators:
C8A86D0132B355EE8A22E48E81BB8AEF71D3B418878DF1BD9C46E53CFB3D2D61
00FF432DE1E4698D68A5EBC2F09056F230836B4CC9E4DA8565286ABAAADE3AE6
9F31754206DF706AD45B9A8F12C780295DA1C71D98CDB6B8D119AB8001C64BF8
52951F2D92E3D547BAD86E33C1B0A8622AC391C614EFA3C5D167D8A825937179
1B598C7C35F00D2C940DFD3745BD9E5D036DF781D391B8F3603A2969C666761B
0429BDC6A302B4288AEA1B1E2F2A7545731C50D647672FA65B012B2A2CAA386E
D84C39579E61C406380F37DA7C2A6758ED9A4C9A0E7697C073E2DDBB563360CD
593583B312BF48B7748F4372E6F4A560FD38E969399CF2A96798E2594A517BF4
19D0C55AC466E4188C4370E204808CA0BC02BBA480EC641DA8190CB8AEE92BDC