A Russia-based hacking group is seeking to maximize the value of its zero-day exploits before patches issued by Adobe (released on October 26) and Microsoft (released yesterday) become widely available. In a report issued today, researchers at Trend Micro noted that spear phishing activity—malicious e-mails sent to “various governments and embassies around the world”—had ramped up significantly after these exploits were announced.
The flaws, discovered last week by Google’s Threat Analysis Group, have been used in a long-running spear-phishing campaign against government, political, and military targets in the US and Europe. It’s all an apparent intelligence collection effort run by the group known variously as Pawn Storm, Fancy Bear, APT28, Sofacy, and Strontium. This is the same group blamed for the hack of the Democratic National Committee and the e-mail accounts of Hillary Clinton Campaign Chairman John Podesta, former Secretary of State Colin Powell, and other political figures in the US.
While Adobe patched the vulnerability (CVE-2016-7855) with an emergency update on October 26, the Microsoft vulnerability was not patched until November 8. That’s more than a week after Google announced the discovery of the exploit.
Instead of using the malware solely on high-value targets, the hacking group “probably devalued the two zero-days in its attack tool” and began casting a much larger net with this spear phishing campaign, wrote Feike Hacquebord and Stephen Hilt of Trend Micro’s TrendLabs. Still, the group’s efforts to hit bigger targets didn’t stop. “We saw several campaigns against still-high-profile targets since October 28 until early November 2016,” the researchers noted.
The TrendLabs researchers called out two specific recent campaigns as evidence of the increased activity by Pawn Storm/Fancy Bear. The latest was an early November wave of e-mails to “various governments around the world” from a forged e-mail address. A November 1 e-mail from the campaign was forged to appear to be from an actual press officer for the European Union with the subject line, “European Parliament statement on nuclear threats.” The e-mail contained a link that led to a website running the exploit kit. “Internet users who were using Windows Vista up to Windows 7 without the latest patch for Flash would be at high risk of automatically getting infected,” the researchers wrote.
Another attack using the two exploits showed up in several e-mail waves from October 28 through this week. Some of them were purportedly invitations to a “Cyber Threat Intelligence and Incident Response conference” this month—an actual conference—sent in a malicious Rich Text Format document called “Programm Details.doc.” When opened, the RTF document launched an embedded Flash element that downloaded additional files and leveraged the exploit code to install these files on the targeted computers. “We also noted that the embedded Flash file downloaded a Flash exploit for the just-patched [Adobe Flash vulnerability],” Hacquebord and Hilt reported. “A second file was also downloaded, but this file consistently crashed Microsoft Word during our tests.”
Now that patches are available for both vulnerabilities, it’s likely the exploit tool based on them will be kept in use only for less valuable targets that may not have been patched. While anti-virus tools have been updated to catch the particular tools used in these detected attacks, unpatched systems will remain vulnerable to new attacks using the same exploits.