The hacker group Sednit uses 0day exploits for cyber attacks
We have repeatedly written about the hacker group Sednit (aka Sofacy, APT28, Fancy Bear). In our research, we indicated that last year this group resorted to using a customized (own) set of exploits to compromise users. To do this, organized attacks like watering hole (drive-by download), while attracting various 1day exploits for the browser MS Internet Explorer. We also pointed out that last year this group specialized in attacks against isolated air-gapped networks of various enterprises that had limited access to the Internet for security purposes.
A few days ago, FireEye published new information about the activities of this group. We are talking about two 0day exploits that Sednit used to target cyber attacks on US diplomatic missions.
')
The first exploit is based on the RCE vulnerability closed last week in Flash Player CVE-2015-3043 ( APSB15-06 ). The second 0day exploit (LPE) is used to bypass the browsers sandbox mechanisms, obtain maximum SYSTEM privileges and install malware into the system. Such a method (using a bunch of exploits) has already become “classic” in such cyber attacks and we mentioned it in our 2014 report .
Judging by the information that was published by FireEye analysts about the LPE vulnerability in Windows (CVE-2015-1701), SMEP allows you to block actions of this exploit on Windows 8+ and, thus, it does not affect these OS versions. Microsoft has not yet released Security Advisory (SA) for this vulnerability, so for now we can only guess the details of this vulnerability. FireEye clarifies that this 0day exploit was seen only in a series of these new targeted attacks and only in conjunction with the above Flash Player vulnerability. This indicates a highly targeted attack and the highly skilled attacker.
We have previously published descriptions of two LPE exploits that can not work properly on Windows 8 x64 due to the activity of SMEP there: PowerLoader 64-bit has been updated with new LPE exploits , Analysis of the Dianti.A exploit .
A few days ago, FireEye published new information about the activities of this group. We are talking about two 0day exploits that Sednit used to target cyber attacks on US diplomatic missions.
')
The first exploit is based on the RCE vulnerability closed last week in Flash Player CVE-2015-3043 ( APSB15-06 ). The second 0day exploit (LPE) is used to bypass the browsers sandbox mechanisms, obtain maximum SYSTEM privileges and install malware into the system. Such a method (using a bunch of exploits) has already become “classic” in such cyber attacks and we mentioned it in our 2014 report .
Judging by the information that was published by FireEye analysts about the LPE vulnerability in Windows (CVE-2015-1701), SMEP allows you to block actions of this exploit on Windows 8+ and, thus, it does not affect these OS versions. Microsoft has not yet released Security Advisory (SA) for this vulnerability, so for now we can only guess the details of this vulnerability. FireEye clarifies that this 0day exploit was seen only in a series of these new targeted attacks and only in conjunction with the above Flash Player vulnerability. This indicates a highly targeted attack and the highly skilled attacker.
We have previously published descriptions of two LPE exploits that can not work properly on Windows 8 x64 due to the activity of SMEP there: PowerLoader 64-bit has been updated with new LPE exploits , Analysis of the Dianti.A exploit .
Source: https://habr.com/ru/post/256171/
All Articles