Fancy Bear hacker group ramped up zero-day attacks before Microsoft, Adobe released patches

Russia-linked hacker group Fancy Bear – also known as Pawn Storm, APT28, Sednit, Sofacy and Strontium – had maximised its Windows zero-day attack vector, before Microsoft and Adobe could issue patches. Security researchers uncovered that the hacker group, which is believed to be behind the controversial Democratic National Committee (DNC) hack, ramped up its zero-day attacks against international governments, in the days leading up to the public release of the patches.

The zero-day flaws were first made public by Google, following which Microsoft and Adobe released patches. While Adobe had its patches out on 26 October, Microsoft's patches were made available on 8 November. However, security researchers found that between the time the vulnerability was discovered and the patches were released, Fancy Bear accelerated its spear-phishing campaign "against various governments and embassies around the world".

Trend Micro researchers said, "The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world."

Fancy Bear seeking to cast a wider net

Researchers pointed out that Fancy Bear hackers "probably devalued the two zero-days in its attack tool portfolio", to begin casting a wider net with its campaign. They noted that the hacker group also launched "several campaigns against high-profile targets since October 28 until early November 2016".

Two of the most recent and active Pawn Storm campaigns saw phishing emails sent out to various international governments from a fake email address. The emails containing a malicious link from one campaign appeared to be from a press officer of the EU and came with the subject line "European Parliament statement on nuclear threats". The link redirected victims to a website that hosted Fancy Bear's exploit kit.

The Researchers explained, "The exploit kit will first fingerprint its targets with invasive JavaScript, which uploads OS details, time zone, installed browser plugins, and language settings to the exploit server. The exploit server may then send back an exploit or simply redirect to a benign server."

Another campaign saw emails posing to be invitations to a "Cyber Threat Intelligence and Incident Response conference in November", which came with a malicious document. When the mail is opened, the malicious RTF document displayed the program details of the conference, which is real and is hosted by Defense IQ. However, the document comes with an embedded Flash file, which downloads additional files onto the target's computer.

"The conference is real, but of course, the sender address was forged. This attack methodology of Pawn Storm has been previously observed. We also noted that the embedded Flash file downloaded a Flash exploit for the just-patched CVE-2016-7855. A second file was also downloaded, but this file consistently crashed Microsoft Word during our tests," Trend Micro researchers said.

Unpatched systems still vulnerable

Even as security patches to the vulnerabilities have already been released, systems that have not been updated remain vulnerable to fresh attacks using the same exploits.

"Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe's and Microsoft's patches on October 26 and November 8, 2016. This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered," researchers said.