Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/11/2017
01:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT28, Turla Nation-State Groups Deployed Multiple 0Days in Recent Attacks

Attack campaigns by APT28, Turla, and an unidentified group showcase easy availability of zero-days.

Threat actors rarely ever need zero-day flaws to breach enterprise networks. But there appears to be a plentiful supply of such vulnerabilities for those who do.

A flurry of recent exploit activity targeting government, military, and banking entities mostly in Europe and the Middle East is one example.

Security vendors ESET and FireEye this week issued separate advisories on cyberattacks involving the use of three Microsoft zero-day flaws. Two of them involved the Encapsulated PostScript (EPS) function in Microsoft Office, while the third was a privilege escalation flaw in Windows.

Microsoft addressed all three issues in its monthly security update for May this week.

In its advisory, FireEye said it had seen the three flaws being exploited in attacks by an unidentified group and also by APT28 and Turla, two previously known Russian cyber espionage groups. The unknown group appeared to be motivated by financial gain and was focused mainly on regional and global banks operating in the Middle East. The APT28 and Turla attacks were likely targeted at extracting geopolitical intelligence from targets in Europe.

The attacks by Turla and the unknown group involved the use of CVE-2017-0261, a remote code execution flaw that allowed attackers to gain administrative access on vulnerable systems. The EPS vulnerability, according to Microsoft, could be exploited by getting users to open an Office file with a malformed image or by getting them to insert a malformed image into an Office file.

The APT28 group's attacks meanwhile exploited two zero-day flaws; CVE-2017-0262, a remote code execution vulnerability in EPS handling that was nearly identical to the other EPS zero-day; and CVE-2017-0263, an escalation of privilege flaw in Windows.

APT28's objective in using the two zero-day flaws was to drop Seduploader, a reconnaissance tool that the group is well known for using to steal confidential information from targets, ESET said in its blog.

"These vulnerabilities show that financially motivated actors have access to some of the most sophisticated tools that are sometimes thought to be the sole purview of nation states," says Benjamin Read, a security analyst at FireEye. "The use of multiple zero-days by Russian actors underscores the technically sophisticated threat from cyber espionage groups in that country," he says.

Marc-Etienne Leveille, malware researcher at ESET, says that since 2015, the company has observed the APT28 group use at least 12 different zero-days exploits—six in 2015, four in 2016, and two so far in 2017.

The group, which is also known as Sofacy, Fancy Bear, and Sednit, has been active for more than 10 years, so the actual number of zero-days it has used in that period is likely to be much higher. APT28 is believed to have been involved in the attacks on the Democratic National Committee (DNC) and has been cited as proof of Russian involvement in the attack. Most recently, the threat group is believed to have been behind an attempt to gain access to the email accounts of those involved in just elected French President Emmanuel Macron's campaign.

"Because of the amount of zero-days they've used in the past few years, we can assume that they either have very skilled people or enough financial resources to maintain this trend," Leveille says.

ESET does not have information on pricing in the Dark Market for zero-day flaws such as the two used by APT28 in its most recently observed campaigns. But based on prices from zero-day acquisition platform Zerodium, it is likely that the two exploits combined could cost up to $70,000. "Finding or writing new reliable zero-day exploits is not an easy task," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19668
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12882
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2017-6363
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
CVE-2017-6371
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
CVE-2017-5861
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...