Russian Hackers Use Adobe and Microsoft Vulnerabilities to Get Data

Security company FireEye Inc. has detected attacks from Russian hackers against government officials involved in discussing U.S. sanctions against Russia.  FireEye says that this attack was perpetrated by a group they refer to as Advanced Persistent Threat 28 (ATP28).  The attack was stopped before any data was stolen.

The attack took advantage of two different previously-unknown vulnerabilities in Adobe Flash Player and Microsoft Windows.  There exists a vulnerability in Adobe Flash Player that allows arbitrary code execution from the attacker.  Basically, there can be a buffer overflow from opening a certain type of malformed .FLV file in the player.  Using that, they were able to download and run a malicious program onto Windows.

The second part of the attack utilized a vulnerability in Windows that allowed any user to execute programs with System privileges.  With the combination of these, ATP28 was able to execute any program on any Windows (predating Windows 8) with Adobe Flash Player.  Adobe has since released a patch fixing this vulnerability.  Microsoft still has not, but a Microsoft spokesperson says that they are.  The Microsoft vulnerability is much less dangerous, since it already requires the attacker to have the power to execute code to do anything.

APT28 is a Russian hacker group suspected of working for the Russian government.  According to FireEye, they have been active until 2007.  In the past, their targets have been U.S. military attaches, U.S. defense contractors, N.A.T.O. alliance offices, members of the media who have interviewed President Obama, and government officials from Georgia and other nations of interest to the Russian government.

This attack was discovered by FireEye, because one of the intended victims was a FireEye customer.

John Deeney

https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

http://www.reuters.com/article/2015/04/18/us-russia-cyberattack-idUSKBN0N90RQ20150418

http://www.bloomberg.com/news/articles/2015-04-18/russian-hackers-use-zero-days-in-attempt-to-get-sanctions-data

Advertisements