During its investigation and continued monitoring of Operation Pawn Storm, Trend Micro recently discovered some considerable changes in hackers' techniques and targets. The cyber espionage campaign now leverages a new zero-day threat, and has also expanded its victim scope to include a very high-profile target.
New Adobe Flash zero-day exploit
According to Trend Micro analysts Brooks Li, Feike Hacquebord and Peter Pi, the cybercriminals behind Operation Pawn Storm recently shifted their attack strategies. In their latest campaign, hackers built on their use of zero-day threats – the organization is known for utilizing one of the first Java zero-day threats seen in years – with a new Adobe Flash zero-day exploit.
Adobe, which was involved in the research and resulting finding, issued a security release soon after the exploit was discovered to warn users and help prevent infection. This new Flash zero-day exploit has been assigned the identifier CVE-2015-7645, along with the connected bulletin APSB15-27. Researchers found that this particular threat currently impacts Adobe Flash Player versions 126.96.36.199 as well as 188.8.131.52.
Victim scope grows: Foreign affairs ministries
Li, Hacquebord and Pi also reported that Operation Pawn Storm attacked several foreign affairs ministries as part of its most recent campaign. Similar to previous attacks, the victims each received a spear phishing message as well as a malicious link leading targets to the exploit. In each instance, phishing emails were crafted in a way that made them appear as innocuous messages about current events. Some of the subject lines here included:
- "Syrian troops make gains as Putin defends air strikes"
- "Russia warns of response to reported U.S. nuke buildup in Turkey, Europe"
- "U.S. military reports 75 U.S.-trained rebels return Syria"
These controversial and attention-grabbing headlines increase the chances that the victim will not only open the email, but the connected attachment as well, which unleashes the zero-day exploit onto the system.
In addition to spear phishing, Operation Pawn Storm hackers have also utilized faux Outlook Web Access servers in an attempt to intercept communications. In at least one instance, this attack technique was successful.
"These [fake servers] are used for simple, but extremely effective credential phishing attacks," Li, Hacquebord and Pi wrote. "One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming email to this organization for an extended period of time in 2015."
Attack on MH17 investigation team
In addition to taking aim at several foreign ministries recently, the hackers behind Operation Pawn Storm also brazenly attacked another high-profile target: the internal team investigating the MH17 plane crash. Dutch Safety Board Onderzoeksraad was targeted by Pawn Storm on several instances, both before and after it released its Oct. 13th report detailing its findings in the investigation of the crash.
"It appears that a coordinated attack from several sides was launched to gain unauthorized access to sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian and Ukrainian authorities," Trend Micro reported.
The attacks on the investigative team began on Sept. 28, when hackers created a fraudulent server in order to resemble and copy the Dutch Safety Board's Safe File Transfer Protocol server. Then, the next day, cybercriminals established a fake Outlook Web Access server – similar to their technique in the other recent attacks on foreign ministries – in an attempt to target a prominent partner of the Dutch Safety Board. Thankfully, in this instance, Trend Micro was able to alert the partner before malicious activities could be carried out, halting attackers in their tracks.
The new Adobe Flash zero-day exploit was discovered on Oct. 13, and was unpatched as of Trend Micro's Oct. 22 report. Then, on Oct. 14, a fake VPN server was uncovered, leading researchers to believe that these were created to gather authentication information from Dutch Safety Board employees. These details could then be used by Pawn Storm hackers to access the real SFTP and VPN servers.
"These developments show that Pawn Storm coordinated attacks against different organizations to gain sensitive information on the MH17," Trend Micro stated.
Protecting against Pawn Storm attacks
As Pawn Storm cybercriminals train their crosshairs on more foreign organizations and high-profile targets, it's important that groups which fall into these categories understand how to protect themselves from attack. Trend Micro noted that the best security against zero-day exploits are multi-layered solutions that can help guard against malicious entry from every angle.
Solutions like Trend Micro's Deep Discovery and Vulnerability Protection can help organizations safeguard every level of their critical computing systems, and prevent infection through zero-day threats. Contact Trend Micro to find out more.