It’s being reported today that Fancy Bears hacking group have changed the tactics of a phishing campaign which uses a Microsoft exploit to install malware to focus on the US instead of Europe. They have done this by encouraging users to click on ‘US-centric’ topics exploiting fears around the recent terrorist attack in New York. IT security experts commented below.
Dan Matthews, Director of Engineering at Lastline:
We can look at the Vault7 exploit tool kit disclosure last spring as the same type of public release, but in the opposite direction. In the Vault7 exploit disclosure, multiple nation-state developed exploits were made available to the world. In just a few weeks, criminal software developers, less resourced nation-states and pen testers all started adding these NSA exploits to their bag of tricks.
With so many ‘offensive security’ eyes on public disclosures, it is as important as ever for organizations to be informed of new tradecraft and to deploy detective and preventative controls are multiple points of their networks.
At a technical level, it is noteworthy that this ‘exploit’ is really misusing a feature built into Windows which is not likely to be patched by Microsoft. Successful exploitation requires two separate user approvals, which attackers have demonstrated is not difficult to achieve when they present users with the right social engineering bait.”
Andy Norton, Director of Threat Intelligence at Lastline:
What is important right now, is to get actionable intelligence to those possibly impacted parties. Payloads from this originating infrastructure often display the following capabilities..
- Masquerading browser user-agents in HTTP communications
- Hide network activity through code injection
- Reading browser stored credentials
- Keystroke logging capabilities
In this case, hunting for stealthy network communication and monitoring for credential theft, need to be part of incident response. Attributing the attacker is often a wilderness of mirrors and a distraction to the real goal of preventing unauthorised access.”