Pawn Storm Overview
This is an analysis of a threat actor that goes by many names including: Pawn Storm, APT28, and Fancy Bear. The bad actor seems to be a group based in Russia with alleged strong links to the Russian military particularly the GRU (Russian military intelligence).
Tactics, Techniques, and Procedures
Pawn Storm is known for using a variety of compromise methods, but gathering user credentials appears to be the method used most often. Well-known, reputable email addresses are collected through obfuscated routing to avoid being traced. These emails are then used in phishing campaigns.
Once inside networks Pawn Storm uses classic lateral movement techniques including, credential dumping, pass the hash techniques, Bootkits, rookits, and access token manipulation to achieve its goal. These target the Windows Operating System and modern hardware platforms. For example, the threat actor designed a rootkit trojan, called LoJax, that targets the Unified Extensible Firmware Interface (UEFI) firmware. LoJax’s main purpose is to maintain the persistence of remote access software. LoJax can load an embedded driver that modifies NTFS partitions on infected systems. The trojan can also use the Windows Registry by modifying a specific key for longer term persistence.
Changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
From a phishing perspective, Pawn Storm uses shared/commercial VPNs to connect to server infrastructure. The server setup usually involves a dedicated server which is used to facilitate communications with the desired target. When setting up the VPN, Pawn Storm uses the OpenVPN option when connecting to their spam servers and likes to maintain careful network paths to avoid DNS leaks. It utilizes DNS SPF (Sender Policy Framework) to avoid spam filtering. They do this by having certain domain names show up in the EHLO command when the spam messages are being sent. This means when any message is received, a DNS request goes out from the target’s email server to the domain name provided in the EHLO command. The goal of their phishing campaigns is to gain credentials which they can use to get initial access to the target’s network.
From an enumeration perspective, Pawn Storm is quite loud when they scan for vulnerable systems. The ports they like to target are Ports 445/TCP (SMB) and 1433/TCP (Microsoft SQL Server) originating from the same server IP. These scans reach far and wide looking for vulnerable systems that can be cataloged for later exploitation.
A successful attack could result in a myriad of actions including the following:
- Successful phishing leading to the loss of sensitive user credentials
- Lateral movement techniques that can lead to privilege escalation and malware propagation in the network
- Unwanted scanning of external facing systems
- Loss of valuable information resulting in a nation state level adversary gathering intelligence about core business operations
- Use of compromised mail server used to send spam
- Review the IOCs found in the IBM X-Force Exchange and Trend Micro White Paper links
- Consider implementing the following detection methodologies:
- Use firewall to block external hosts from accessing ports 1433/tcp and 445/tcp
- Preemptively block the domain server[.]com at the firewall
- Monitor hosts for the presence of unauthorized tools like Mimikatz in your environment
- The file integrity monitoring functions of AlienVault and LogRhythm can be used to accomplish this
- Utilize process monitoring to find unexpected process interactions with lsass.exe
- Disable the use of PowerShell and cmd.exe in your environment except for users who require those applications for their job roles
- If you require the use of command line tools in your environment:
- Consider forwarding PowerShell and Command Line logs to your SIEM device of choice
- Perform regular user training on how to guard against phishing and build a reporting mechanism for any user to report suspected phishing attempts
- Trend Micro White Paper: https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf
- CrowdStrike Write Up: https://www.crowdstrike.com/blog/who-is-fancy-bear/
- Mitre Profile: https://attack.mitre.org/groups/G0007/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.