CVE-2024-1709 and CVE-2023-48788: Exploits Fueling Russia’s BadPilot Campaign

Microsoft Threat Intelligence has exposed a multiyear cyber espionage campaign conducted by a subgroup of the Russian state-sponsored hacking collective, Seashell Blizzard (also known as APT44, Sandworm, or BlackEnergy Lite). This campaign, tracked as BadPilot, has been in operation since at least 2021 and has compromised organizations worldwide across critical sectors, including energy, telecommunications, arms manufacturing, and international governments.

The newly detailed BadPilot campaign has been instrumental in enabling Russian cyber operations by breaching Internet-facing infrastructure and maintaining long-term access to high-value targets. According to Microsoft, this subgroup within Seashell Blizzard has used a combination of published exploits, opportunistic scanning, and stealthy persistence techniques to infiltrate targeted systems.

Microsoft warns: “This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations.”

The campaign initially focused on Ukraine and Eastern Europe but has now expanded to the United States, the United Kingdom, Canada, Australia, and other geopolitically significant regions.

Since early 2024, the BadPilot subgroup has been observed exploiting vulnerabilities in remote management and security software, including:

• ConnectWise ScreenConnect (CVE-2024-1709)
• Fortinet FortiClient EMS (CVE-2023-48788)

These exploits have allowed attackers to execute commands remotely, install remote management tools, and establish long-term persistence. Microsoft explains, “These new access operations built upon previous efforts between 2021 and 2023 which predominantly affected Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East.”

Seashell Blizzard is one of Russia’s most prolific and destructive state-backed hacking groups, linked to Unit 74455 of the Russian Military Intelligence (GRU). Microsoft has tracked its involvement in numerous cyberattacks aligned with Russian geopolitical interests, including:

• The 2017 NotPetya ransomware attack
• The 2022 Prestige ransomware operation targeting Ukraine and Poland
• Espionage and cyber disruption campaigns during Russia’s invasion of Ukraine

According to Microsoft, “Since April 2022, Russia-aligned threat actors have increasingly targeted international organizations that are either geopolitically significant or provide military and/or political support to Ukraine.”

One of the hallmarks of BadPilot’s operations is its ability to maintain access within compromised networks for extended periods. The group employs several stealthy persistence techniques, including:

1. Deploying Remote Management Software

Instead of relying on traditional malware or remote access trojans (RATs), BadPilot installs legitimate remote management tools such as Atera Agent and Splashtop Remote Services. Microsoft notes, “The use of RMM software allowed the threat actor to retain critical C2 functions while masquerading as a legitimate utility, which made it less likely to be detected than a remote access trojan (RAT).”

2. Using Web Shells for Command and Control (C2)

Since late 2021, the subgroup has used web shells for persistent access, often deploying them after exploiting vulnerabilities in:

• Microsoft Exchange (CVE-2021-34473)
• Zimbra Collaboration (CVE-2022-41352)

These web shells allow attackers to execute arbitrary commands, upload/download files, and maintain access to compromised systems.

3. Leveraging the “ShadowLink” Persistence Mechanism

A particularly sophisticated technique used by BadPilot is ShadowLink, which converts compromised systems into Tor hidden services. This allows attackers to remotely access infected machines while evading detection.

Microsoft explains, “Systems compromised with ShadowLink receive a unique .onion address, making them remotely accessible via the Tor network. This capability allows Seashell Blizzard to bypass common exploit patterns of deploying a RAT, instead using the Tor hidden service to cloak all inbound connections.”

Once inside a target network, BadPilot engages in aggressive credential theft and data exfiltration, employing methods such as:

• Dumping credentials from LSASS (Local Security Authority Subsystem Service)
• Deploying tunneling utilities like Chisel and rsockstun
• Modifying login portals to steal usernames and passwords in real-time

Microsoft has identified multiple attacker-controlled domains used for credential theft, including:

• hwupdates[.]com
• cloud-sync[.]org

The BadPilot campaign represents an alarming escalation in Russian cyber operations, expanding beyond Ukraine to target organizations across North America, Europe, and Asia.

Microsoft warns that “Seashell Blizzard’s far-reaching access operations pose a significant risk to organizations within the group’s strategic purview.”

Related Posts:

• Earth Longzhi’s Cyber Attack: New Techniques Target Asia-Pacific Organizations
• Blizzard Games exisits critical flaw that conduct DNS Rebinding attack
• Patch Now: Forest Blizzard Targets Exchange Servers with Outlook Zero-Day Exploit
• Star Blizzard Shifts Tactics: Spear-Phishing Campaign Targets WhatsApp Accounts
• Russian APT “Secret Blizzard” Leverages Cybercriminal Tools in Ukraine Attacks

About The Author