FireEye said on Saturday that it recently detected a highly targeted attack exploiting two zero-day vulnerabilities in an effort to compromise an “international government entity” in an industry vertical that aligns with known targets hit by a threat actor group which FireEye calls APT28.
FireEye has described APT28 as a skilled team of developers and operators collecting intelligence on defense and geopolitical issues that would clearly benefit Russia. The security firm previously traced cyber-espionage campaigns by the group that date back to 2007.
FireEye said that it first detected the attacks on April 13th, 2015, when the attackers attempted to exploit two zero-day vulnerabilities, including a recently patched flaw in Adobe Flash (CVE-2015-3043) and a brand new one in Microsoft Windows (CVE-2015-1701).
Through its analysis and technical indicators and command and control infrastructure, FireEye believes that the APT28 attackers are responsible for the campaign, which it is calling “Operation RussianDoll”.
Despite use of the two zero-days, the attackers were said to be unsuccessful in breaching their target. A FireEye spokesperson told SecurityWeek that it detected the exploits as they were delivered which prevented an intrusion.
According to FireEye, the exploit process takes place like this:
1. User clicks link to attacker controlled website
2. HTML/JS launcher page serves Flash exploit
3. Flash exploit triggers CVE-2015-3043, executes shellcode
4. Shellcode downloads and runs executable payload
5. Executable payload exploits local privilege escalation (CVE-2015-1701) to steal System token
The CVE-2015-3043 exploit delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and CORESHELL malware families, both described in FireEye’s initial report on APT28.
“One of the C2 locations for the new payload, 87.236.215[.]246, also hosts a suspected APT28 domain ssl-icloud[.]com,” FireEye said.
The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. The exploit does not affect Windows 8 and later.
“While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous,” FireEye noted in a blog post. “We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. We are working with the Microsoft Security Team on CVE-2015-1701.”
“Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system,” FireEye said. “If an attacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine. Baring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.”
Earlier this week, Trend Micro reported new activity on “Operation Pawn Storm” which is assumed to be the same threat actors tracked by FireEye as APT28. According to the most recent report from Trend Micro, the APT group has introduced new infrastructure and is “zeroing in” on targets including the White House and NATO members.
Trend Micro also eluded to possible connections with the Russian government. “We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government,” Feike Hacquebord, a Senior Threat Researcher at Trend Micro, noted in a blog post on Thursday.
Last year FireEye was able to trace at least two specific attempts by APT28 to target the Georgian Ministry of Internal Affairs, the Ministry of Defense, and a U.S. defense contractor that was training the Georgian military.
*Updated to include name of campaign and modified headline