14 DAY TRIAL // A highly targeted cyber attack believed to be run by Russian hackers has been observed a week ago, leveraging a zero-day in Flash Player and one in Windows that allowed privilege escalation.
The incident was spotted on April 13 by security researchers from FireEye, who allege that the threat actor is a Russian group they call APT28, whose activity has been traced as far back as 2007.
Microsoft works on plugging zero-day security hole
The security glitch in Flash Player (CVE-2015-3043), has been patched by Adobe in an update released a day after FireEye learned about APT28’s attack. In the security bulletin for the update, the developer informed that an exploit for the flaw existed in the wild.
As for the privilege escalation flaw in Windows (CVE-2015-1701), it continues to be a zero-day as Microsoft has to release a patch for it. The company is currently working on a patch.
FireEye researchers say in a blog post on Saturday that the attackers relied on the Flash vulnerability to gain access to the targeted system and then exploited the Windows flaw to increase their grip on the machine.
Updating Flash Player defeats compromise attempts
The attack would start with tricking the user into following a website that served the Flash exploit for CVE-2015-3043, which would run a payload that achieved privilege escalation, allowing ATP28 to execute code with system rights, thus being able to access any region on the computer.
Compromising systems this way is no longer successful if users have the current version of Flash Player (17.0.0.169) installed. Also, the zero-day in Microsoft’s operating system affects only Windows 7 and earlier.
Researchers say that the attack was deployed against an international government entity that fits the target profile the APT28 hackers focus on.
Attribution of the incident has been done based on observed similarities of the delivered malware with backdoors CHOPSTICK and CORESHELL, previously used by the group.