Russian hacker group APT28 is exploiting flaws in Adobe Flash and Windows Attempting to gather government information, warns FireEye
A Russian Hacker group has been taking advantage of vulnerabilities in popular Adobe and Microsoft software to gather government information, US security firm FireEye has claimed.
The company’s latest report said that it detected a limited advanced persistent threat campaign targeting zero-day vulnerabilities in Adobe Flash and Microsoft Windows which started on 13 April.
FireEye said that the group’s goal is to find information about government, military and security organisations which is « likely to benefit the Russian government ».
Researchers using the security firm’s Dynamic Threat Intelligence Cloud software detected the pattern of attacks through a « correlation of technical indicators and command and control infrastructure », and believes that APT28 is « probably responsible » for this activity.
Adobe has since patched the CVE-2015-3043 vulnerability in APSB15-06.
Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows, named CVE-2015-1701, but has not yet issued a patch.
FireEye said that updating Adobe Flash to the latest version will render the exploit harmless because it has seen CVE-2015-1701 in use only in conjunction with the Adobe Flash exploit for CVE-2015-3043.
The Flash exploit is served from unobfuscated HTML/JS. The launcher page picks one of two Flash files to deliver depending on the target’s platform, for example Windows 32-bit or 64-bit.
« The payload exploits a local privilege escalation vulnerability in the Windows kernel if it detects that it is running with limited privileges, » explained FireEye.
« It uses the vulnerability to run code from userspace in the context of the kernel, which modifies the attacker’s process token to have the same privileges as that of the system process. »
The APT28 attackers relied heavily on the CVE-2014-0515 metasploit module to conduct these new exploits, FireEye said.