It’s being reported today that Fancy Bears hacking group have changed the tactics of a phishing campaign which uses a Microsoft exploit to install malware to focus on the US instead of Europe. They have done this by encouraging users to click on ‘US-centric’ topics exploiting fears around the recent terrorist attack in New York. IT security experts commented below.
Dan Matthews, Director of Engineering at Lastline:
“It is not surprising that even advanced threat actors are learning about and using publicly disclosed attack techniques via Twitter feeds, blog posts and other social media outlets. The internet was designed to be an information equalizer, allowing distant research institutions to collaborate.
We can look at the Vault7 exploit tool kit disclosure last spring as the same type of public release, but in the opposite direction. In the Vault7 exploit disclosure, multiple nation-state developed exploits were made available to the world. In just a few weeks, criminal software developers, less resourced nation-states and pen testers all started adding these NSA exploits to their bag of tricks.
With so many ‘offensive security’ eyes on public disclosures, it is as important as ever for organizations to be informed of new tradecraft and to deploy detective and preventative controls are multiple points of their networks.
At a technical level, it is noteworthy that this ‘exploit’ is really misusing a feature built into Windows which is not likely to be patched by Microsoft. Successful exploitation requires two separate user approvals, which attackers have demonstrated is not difficult to achieve when they present users with the right social engineering bait.”
Andy Norton, Director of Threat Intelligence at Lastline:
“The change in infection mechanism represents the latest in a long line of iterations for this type of threat actor group. The infrastructure used in this attack was first tracked by Lastline in 2015 in that time we have seen many different payloads probably from many different threat actors. The lure documents in this case, were exclusively seen by us in the government sector, when investigating other attacks into the government sector from this specific malicious infrastructure, we can see Trojan:Fareit is also used as a payload, this AV name is given to Pony Loader an infamous credential stealing backdoor recently implicated in the Equifax breach.
What is important right now, is to get actionable intelligence to those possibly impacted parties. Payloads from this originating infrastructure often display the following capabilities..
- Masquerading browser user-agents in HTTP communications
- Hide network activity through code injection
- Reading browser stored credentials
- Keystroke logging capabilities
In this case, hunting for stealthy network communication and monitoring for credential theft, need to be part of incident response. Attributing the attacker is often a wilderness of mirrors and a distraction to the real goal of preventing unauthorised access.”