In a report issued by security firm FireEye last October, a group of hackers known as APT28 has been secretly targeting government organizations around the world in an attempt to gather as yet unknown information in a campaign with its roots in Russia. Specifically, FireEye was able to determine that APT28 has an apparent government sponsor located in Moscow. Unlike many of the China-based threats that have made recent headlines, the hackers of APT28 do not appear to be seeking financial gain from the intellectual property stolen during a breach.
Instead, this group targets intellectual property that would be useful to a government with unknown intentions. FireEye's October report indicates that this group has been infiltrating the IT systems of government organizations, military contractors, and private security firms since at 2007. All of the information obtained thus far indicates that the information directly benefits the Russian government. For instance, last year a breach of the US State Department specifically sought information about President Barack Obama's travel schedule has been linked to this clandestine organization.
Recently, APT28 was reported as using vulnerabilities to infiltrate these integral data systems that affect Adobe Flash and Microsoft Windows.
According to the FireEye report, the group uses a series of constantly evolving malware platforms that have been designed for long-term infiltration campaigns that have been tailored to the target environment. These malware strains have been designed to hamper reverse-engineering efforts, although security researchers know that the code has been developed in a formal code development environment.
Specifically, the report indicates that a limited APT28 campaign was targeting zero-day vulnerabilities in Adobe Flash and a yet unpatched vulnerability in Microsoft Windows. This new pattern of attacks reportedly began on April 13th of this year. Adobe has already patched one of the vulnerabilities being exploited by the Russian cybercriminals (CVE-2015-3043). The outstanding local privilege vulnerability in the Windows OS (CVE-2015-1701) has not yet been patched by Microsoft; however, updating Adobe Flash to the latest version renders the Windows flaw useless (these flaws are being used in conjunction by APT28 during recent cyberespionage campaigns).
From a high-level point-of-view, the exploit works as follows:
1. User clicks on a malicious link redirecting them to a hacker-controlled website
3. CVE-2015-3043 is triggered and shell code is executed
4. Shell code downloads and runs payload
5. Payload exploits local privilege escalation (CVE-2015-1701) to steal system token
Again, while the Microsoft vulnerability remains unpatched, as long as Adobe Flash is updated to the latest version, APT28 is unable to complete the exploit and gain elevated privileges on the compromised system. To protect yourself from this threat, ensure that both Flash and Windows are updated with all of the latest patches and if you haven’t done so already, enable automatic updating of both programs to protect your PC from this threat and any new techniques that APT28 may employ in the future.