Last week, Trend Micro released a report highlighting the recent tools, tactics and procedures of Pawn Storm aka APT28 aka Fancy Bear aka Strontium. Trend has been tracking this group for over the last decade, releasing reports in 2014 and 2017 on their latest activities. In this most recent report, Trend sheds light on a credential theft phishing campaign that is all too common in the current cyber threat landscape.
The 15-page report, available here (pdf), shows how Pawn Storm operators started using stolen email credentials from “high-profile targets” to send out spam messages while masking their tracks using commercial VPN providers. We’ve noted previously both on Secplicity and on The 443 Podcast how attackers are using stolen credentials to execute wide ranging attacks. In the case of Pawn Storm, Trend found that the attackers were probing for the network ports of exposed email services and then using those services to brute force credentials.
The report concludes with several good tips for organizations of any size to defend against these threats. Things like requiring two-factor authentication, educating employees on common phishing techniques, and regularly monitoring infrastructure are bare bones basics that all organizations should be doing to defend against not just APT28’s latest techniques, but all cyber attacks.