Zero-Day Outlook Exploit: Fighting Ursa Targets NATO and Critical Infrastructure

Fighting Ursa, also known as APT28, has emerged as a sophisticated cyber threat, exploiting a critical vulnerability in Microsoft Outlook (CVE-2023-23397) to carry out covert operations. Unit 42 researchers revealed this active campaign in a recent blog. This group, believed to be linked to Russia’s military intelligence, leverages this exploit to conduct strategically targeted attacks, notably without requiring user interaction.

APT28’s campaigns have spanned 20 months, affecting at least 30 organizations across 14 nations, including NATO member countries, Ukraine, Jordan, and the United Arab Emirates. Their targets encompass a variety of sectors such as energy production, defense, foreign affairs, and more, indicating a focus on entities of diplomatic, economic, and military significance.

Malicious task request sent to Montenegrin Ministry of Defense account | Image: Unit 42

The group employs the CVE-2023-23397 vulnerability in Microsoft Outlook, allowing them to execute relay attacks using NTLM hashes. This method enables them to impersonate victims and access sensitive networks, showcasing their advanced capability in cyber espionage.

Governments and organizations, particularly those utilizing Microsoft Outlook, are urged to patch CVE-2023-23397 promptly and configure their systems to defend against such attacks. The ongoing activities of Fighting Ursa underline the importance of proactive cybersecurity measures in an increasingly digital world.

The activities of Fighting Ursa, or APT28, underscore the evolving landscape of cyber threats and the necessity for constant vigilance. Their ability to carry out targeted attacks against high-value targets demonstrates the need for enhanced security protocols and awareness in the digital arena.