APT28 Russian hackers exploited two zero-day flaws in the wild

FireEye recently detected a new highly targeted attack run by APT28 exploiting two zero-day flaws to compromise an “international government entity”.

Security experts at FireEye have recently detected a new cyber espionage campaign, dubbed “Operation RussianDoll,” operated by the Russian APT28 group. This time the hackers run highly targeted attack by exploiting two zero-day vulnerabilities to target an “international government entity”.

In October 2014, the experts at FireEye published a report on the activity of a group of Russian hackers, dubbed APT28, that is behind long-running cyber espionage campaigns that targeted US defense contractors, European security organizations and Eastern European government entities.

The hackers also targeted attendees of European defense exhibitions, including the EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo and the Farnborough Airshow 2014.

The APT28 took advantage of vulnerabilities in Adobe Flash software (CVE-2015-3043) and Windows operating system (CVE-2015-1701).

“FireEye said that Adobe had issued a fix for the security weakness on Tuesday, so that users with the most current versions should be protected. The Microsoft problem by itself is less dangerous, since it involves enhanced powers on a computer from those of an ordinary user.” reported the Reuters Agency.

“While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous,” states the report published by FireEye. “We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. We are working with the Microsoft Security Team on CVE-2015-1701.”

“Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system,” FireEye said. “If an attacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine. Baring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.”

The vulnerability affecting Windows OS is still present, a Microsoft spokesman confirmed it and added that the company was working on a patch.

Investigators at several security firms believe that APT28 was responsible for a serious breach at U.S. State Department computers in November 2014, and the experts speculate that the team also compromised an unclassified network at the White House accessing sensitive information, including the President Obama agenda.

FireEye doesn’t confirm that APT28 is behind the two incidents.

FireEye researchers collected evidences that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”

APT28 is active since 2007 and it has targeted governments, militaries, and security organizations. The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.

Stay Tuned …

Pierluigi Paganini

(Security Affairs –  APT28, Russian hackers)