Russian APT group actively exploiting Flash, Windows 0-day flaws
APT28, believed to consist of Russian hackers, has been spotted wielding two zero-day exploits in the latest targeted attack aimed at an “international government entity in an industry vertical that aligns with known APT28 targeting.”
According to FireEye researchers, the group, which seems to be the same one behind the “Pawn Storm” campaigns and which has been recently found targeting NATO members and the White House, has been exploiting the Adobe Flash CVE-2015-3043 vulnerability and a local privilege escalation vulnerability in Windows (CVE-2015-1701 – does not affect Windows 8 and later) since April 13, 2015.
While the former bug has been plugged last week, Microsoft is still working on a patch for the latter. The good news is that updating Adobe Flash to the latest version will render the exploit for the Windows vulnerability innocuous.
The attack unfolds like this: the user follows a link to an website controlled by the attackers; the HTML/JS launcher page serves the Flash exploit, which triggers the CVE-2015-3043 vulnerability and executes shellcode; the shellcode downloads and runs the executable payload, which exploits the CVE-2015-1701 flaw to modify the attacker’s process token to have the same privileges as that of the System process.
The exploit also delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and CORESHELL malware families, the researchers found. Other similarities and the C&C server locations point to APT28 being the group behind the attack.
“Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system,” they added. “If an attacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine. Barring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.”
The researchers consider the group to be highly skilled but, as technologist James DeLuccia noted, the fact that they used zero-day exploits does not indicate sophistication, only that they have a budget to buy such vulnerabilities off the open market.
“These are easily available and a successful attack could be orchestrated with less than $10k. According to public sources, the very expensive vulnerabilities cost around $100k. Easily within the reach of any financed attack group,” he commented.
FireEye declined to name the targeted entity, and to say whether the attackers are the same ones that attacked the US State Department and the White House late last year.
For more details about the vulnerabilities and exploits the group used in this last campaign, check out this blog post.