Russian-Based Hackers Use Two Zero-Day Exploits in One Attack

A FireEye report details Operation RussianDoll, which used a pair of zero-day flaws against a foreign government.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

zero-day attack

Security firm FireEye issued a report on April 18 alleging that Operation RussianDoll made use of two zero-day flaws—one in Adobe Flash and the other in Microsoft Windows—in a targeted attack. FireEye has labeled the hacker group behind the attack as APT28, which is operating out of Russia and may have ties to the Russian government.

"The target firm is a foreign government entity in an industry vertical that aligns with known APT28 targeting," Darien Kindlund, director of threat intelligence at FireEye, told eWEEK. "We cannot be any more specific than that. We detected this attack in real time, reporting the attack to the victim accordingly."

FireEye's APT28 RussianDoll attack report comes barely a week after the security firm released a report on a Chinese hacker group identified as APT30 that has been exploiting governments across Southeast Asia since 2005.

The APT28 attack involved two vulnerabilities, both of which were zero-day issues that FireEye first discovered on April 13. One of the vulnerabilities, identified as CVE-2015-3043, is in Adobe Flash. Adobe actually patched the CVE-2015-3043 in an update released on April 14.

Dan Caselden, senior malware researcher at FireEye, noted that the CVE-2015-3043 vulnerability was already on Adobe's list of issues to fix prior to it being exploited by APT28 and discovered by FireEye on April 13.

The second issue is CVE-2015-1701, a new privilege escalation flaw in Microsoft's Windows operating system that has not yet been patched by Microsoft. In FireEye's analysis, the Flash flaw was specifically paired with the Windows privilege escalation vulnerability in order to exploit the victim. That said, it is possible that CVE-2015-1701 could be used in other attacks.

"It certainly could be used with other attack vectors," Caselden told eWEEK. "As long as the attacker can run an exe [executable file] on the system, the attacker can exploit CVE-2015-1701 to get system privileges."

There is, however, a specific limitation with the CVE-2015-1701 vulnerability in the versions of Windows that are impacted. According to Microsoft, the vulnerability no longer exists in Windows 8 and later, Caselden said.

Based on a number of factors, FireEye attributes the attack to APT28. Kindlund said the new exploit delivers a malware variant that shares characteristics with the APT28 backdoor CHOPSTICK and CORESHELL malware families.

"The malware uses an RC4 encryption key that was previously used by the CHOPSTICK backdoor," Kindlund said. "And the C2 [Command and Control] messages include a checksum algorithm that resembles those used in CHOPSTICK backdoor communications."

That fact that one hacker group decided to burn through two zero-days in one attack is not surprising to Caselden. Once an attacker gets code execution for Flash in Internet Explorer, they have limited privileges, he said. "Exploiting a privilege escalation is a natural next step to fully insert themselves into the system," he said. "However, attackers often guard their privilege escalations closely."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.