Hackers believed to be linked to the Russian government used zero-day flaws in Microsoft Windows and Adobe Flash in a bid to infiltrate the organisations discussing sanctions against Russia.
The hackers were detected by security services company FireEye, who dubbed the campaign “Operation RussianDoll”. It said that it detected a pattern of attacks beginning on 13 April and claimed that it was able to stop the attacks before any documents or information could be transferred.
While Adobe patched the buffer-overflow vulnerabilities in a security update on 14 April, Microsoft has not yet released a patch for the vulnerability that the attackers attempted to exploit. However, updating Adobe Flash Player accordingly ought to render the exploit harmless, FireEye added.
The attacks required users to click on links in emails sent to targeted addresses, which direct them to a compromised payload that will serve the Adobe Flash exploit. Once run, the exploit will automatically download an executable payload enabling the attackers to take control.
“The Flash exploit is mostly unobfuscated with only some light variable name mangling. The attackers relied heavily on the CVE-2014-0515 [Adobe Flash] metasploit module, which is well documented. It is ROPless, and instead constructs a fake vtable for a FileReference object that is modified for each call to a Windows API,” claimed FireEye in a blog posting.
It continued: “The payload exploits a local privilege escalation vulnerability in the Windows kernel if it detects that it is running with limited privileges. It uses the vulnerability to run code from userspace in the context of the kernel, which modifies the attacker’s process token to have the same privileges as that of the System process.”
According to Reuters, the attacks formed part of a longer-running campaign against diplomatic targets in the US that, it claimed, emanated from Russia.
“Days before that report, security firm Trend Micro described a campaign it called ‘Pawn Storm’ against computers in the State Department, Russian dissidents, NATO and other Eastern European nations. Because Pawn Storm and APT28 used some of the same tools and hit the same targets, other information security professionals concluded they were the same hackers,” claimed Reuters.