APT28 Russian hackers exploited two zero-day flaws in the wild

FireEye recently detected a new highly targeted attack run by APT28 exploiting two zero-day flaws to compromise an “international government entity”.

Security experts at FireEye have recently detected a new cyber espionage campaign, dubbed “Operation RussianDoll,” operated by the Russian APT28 group. This time the hackers run highly targeted attack by exploiting two zero-day vulnerabilities to target an “international government entity”.

In October 2014, the experts at FireEye published a report on the activity of a group of Russian hackers, dubbed APT28, that is behind long-running cyber espionage campaigns that targeted US defense contractors, European security organizations and Eastern European government entities.

The hackers also targeted attendees of European defense exhibitions, including the EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo and the Farnborough Airshow 2014.

The APT28 took advantage of vulnerabilities in Adobe Flash software (CVE-2015-3043) and Windows operating system (CVE-2015-1701).

“FireEye said that Adobe had issued a fix for the security weakness on Tuesday, so that users with the most current versions should be protected. The Microsoft problem by itself is less dangerous, since it involves enhanced powers on a computer from those of an ordinary user.” reported the Reuters Agency.

“While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous,” states the report published by FireEye. “We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. We are working with the Microsoft Security Team on CVE-2015-1701.”

“Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system,” FireEye said. “If an attacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine. Baring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.”

The vulnerability affecting Windows OS is still present, a Microsoft spokesman confirmed it and added that the company was working on a patch.

Investigators at several security firms believe that APT28 was responsible for a serious breach at U.S. State Department computers in November 2014, and the experts speculate that the team also compromised an unclassified network at the White House accessing sensitive information, including the President Obama agenda.

FireEye doesn’t confirm that APT28 is behind the two incidents.

FireEye researchers collected evidences that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”

APT28 is active since 2007 and it has targeted governments, militaries, and security organizations. The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.

Stay Tuned …

Pierluigi Paganini

(Security Affairs –  APT28, Russian hackers)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

12 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.