FireEye has detected the use of zero-day Flash vulnerabilities and a brand-new Microsoft Windows flaw in a Russian cyberspying campaign.
Announced over the weekend, the cybersecurity and forensics firm said an advanced persistent threat (APT) campaign originating from Russia has been exploiting zero-day vulnerabilities in both Adobe Flash and Microsoft Windows.
The pattern of attacks began on April 13 and remains ongoing.
The Flash exploit, CVE-2015-3043, is triggered when a victim clicks on a link to a malicious website controlled by attackers. A HTML/JS launcher serves the exploit, which then executes shellcode and runs an executable payload in a Windows system, delivered based on whether the system is Windows 32 or 64bits. The payload then triggers another previously unknown Windows flaw, CVE-2015-1701, in order to steal system tokens.
CVE-2015-1701 is a local privilege escalation vulnerability. The exploit executes a callback using the flaw to pull data from the System process before executing code through escalated privileges, and by running code through the kernel, an attacker is able to modify their stolen system tokens to have the same privileges as the System process.
The exploit delivers malware variants which is similar to APT28 backdoors from the CHOPSTICK and CORESHELL malware families. The malware discovered in this new APT campaign uses an RC4 encryption key which was previously detected through the CHOPSTICK backdoor, as well as a checksum algorithm which also resembles the communications protocols used by the backdoor. In addition, the network beacon traffic used by the new malware is similar to those used by the CORESHELL backdoor.
"Through correlation of technical indicators and command and control infrastructure, FireEye assesses that APT28 is probably responsible for this activity," FireEye says.
In October, FireEye released a report detailing the activities of APT28, a Russian hacking group which has been in operation since 2007. The threat actors are believed to focus on targeting US defense and military contractors, NATO officials and others with particular interest to the Kremlin such as the Republic of Georgia and European security firms.
The security firm says "skilled" Russian developers and operators can be linked to APT28 through a government sponsor in Moscow. Spear phishing campaigns, which deliver surveillance-based malware payloads to machines, are used to target victims likely to have intelligence useful to the Russian government.
There is not yet a patch available for the Windows flaw, but Microsoft is working on a fix for the vulnerability, which does not affect Windows 8 or later.
Updating to the latest version of Adobe Flash renders the exploit powerless, and as CVE-2015-3043 is already patched, if an attacker wanted to deploy the CVE-2015-1701 payload on a patched machine, they would need to create a new Flash exploit.