APT gang caught exploiting Flash and Windows zero-days

News by Adrian Bridgwater

Cyber-security firm FireEye details zero-day exploits perpetrated by 'nation-state' sponsored threat actors.

FireEye Labs has detected a limited and targeted Advanced Persistent Threat (APT) campaign designed to exploit zero-day vulnerabilities in Adobe Flash and Microsoft Windows. The cyber-security firm says it believes that the attack “may be” perpetrated by Russian nation-state sponsored threat actors.

Adobe has already independently patched the vulnerability and, at the time of writing, Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows

Using the firm's own Dynamic Threat Intelligence (DTI) cloud service, FireEye researchers detected a pattern of attacks beginning on April 13 this year. The highly complex attacks are said to have been targeted at “specific foreign government organisations”, although no further geographic area of impact or shape of victim organisation could be detailed.

Bad guys are forever

FireEye's Dave Merkel says he realises news of Russia potentially hacking foreign governments is not necessarily news but he says, it helps if we remind ourselves that “bad guys are forever” as he puts it – and that, “Nation-states [like Russia in this case] will target both public and private organisations to get what they want to further their national strategies.”

According to FireEye, the lesson here for businesses is that nation states have a) significant capabilities to target governments and enterprises with malware and/or b) the opportunity and ability to purchase information about zero-day exploits for popular software packages that every organisation uses.

“If you think you aren't a target, think again. Cyber weapons (if you will pardon the hyperbole) proliferate much faster than those in the physical realm. The rising tide raises all ships. “Expect to see these exploits everywhere and anywhere sometime soon,” blogged Merkel.

The exploit is executed after a user clicks a link to an attacker-controlled website. At that point an un-obfuscated HTML/JavaScript launcher page serves a Flash exploit which triggers the execution of a ‘shellcode'. This in turn downloads and runs an ‘executable payload' on the user's machine which exploits local privileges to steal ‘system token'. Or in less technical terms, the doors are opened for hackers to wreak damage or theft.

Security specialist at Bratislava-founded security company ESET, Mark James, told SCMagazineUK.com that it makes sense to target a program that a very large number of users will have on their machine and that (sadly) a lot of users will not keep up to date.

“There are a good selection of common programs that the majority of individuals and businesses use on a daily basis and concentrating on their zero day exploits has proven in the past to be very lucrative,” said James.

“Nation-state targeted attacks are very difficult to prove but we need to be realistic in the fact that they are a very real threat - they have time, resources and money on their side and with so many of our resources controlled by computers it makes perfect sense for these to be targeted from a much higher level. The type of data that is being stolen of course is also harder to detect - if someone steals your credit card data you will know as soon as your funds start disappearing, but the types of data that is taken in these instances may take years to come to life if at all,” added James.

Zero-day black market

Nation-state sponsored threats are not confined to Russia, China and other ‘usual suspect' territories with Stuxnet widely believed to have emanated from the United States. The shape of these threats is continuing to morph and the possibility of a black market trade now developing for zero-day vulnerabilities themselves has been mooted. Forewarned and twice forearmed appears to be the safest route forward.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews