Pawn Storm Group Uses the New York Attack in its Latest Cyberespionage Campaign
Pawn Storm (a.k.a. Fancy Bear, APT28, Sofacy, and STRONTIUM) made headlines again after security researchers shed light on its latest cyberespionage campaign. The group’s latest spear phishing campaign involves the use of a malware-ridden Word document that uses the recent incident in New York last October 31 as a social engineering hook.
The report noted the abuse of Microsoft Office’s Dynamic Data Exchange (DDE) to invoke the command prompt to run PowerShell commands that retrieve and help execute a payload that profiles the affected machine. If it’s a target of interest, it is further infected with a backdoor (X-Agent or Sedreco).
[TrendLabs Security Intelligence Blog: REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography]
DDE provides a way for data to be shared between various applications. When abused, it can allow attackers to implant instructions such as launching the command prompt, or running malicious code, regardless if macros are enabled or not. While not a novel technique, the misuse of DDE is gathering steam not only among cyberespionage groups, but even with financially motivated cybercrooks. Even Locky ransomware and its long-time partner in crime the Necurs botnet were recently seen employing the same technique.
But more than the traction that DDE’s misuse is gaining is also the recent spate of cyberespionage- and cyberpropaganda-related operations. The Council on Foreign Relations (CFR), for instance, has so far cited 26 separate campaigns this year. And indeed, the past weeks alone saw a bevy of hacking groups looking to capitalize on various activities in the socio-political landscape. Some of them include:
- Keyboy, which also abuses DDE to distribute its information-stealing payloads
- Sowbug, which targeted diplomatic corps and foreign policy institutions in South America and Southeast Asia
- OceanLotus/APT32, which was seen mounting campaigns ahead of high-profile summit meetings of the Association of Southeast Asian Nations (ASEAN)
- ChessMaster, which was seen with new tools and tactics for further anonymizing their activities
- BlackOasis, which employed a zero-day vulnerability in Adobe Flash to distribute its spyware, targeting Middle Eastern politicians and United Nations officers
[Security 101: Security 101: The rise of threats that abuse PowerShell, and what can be done to mitigate them]
For organizations, these incidents highlight the importance of securing their perimeter—from gateways, networks, and servers to endpoints—as no platform is immune to these attacks. Here are some defense-in-depth measures that can help significantly reduce the enterprise’s attack surface:
- Mind your security gaps: keep the system, its applications, and the networks updated, or consider virtual patching for legacy systems, and accordingly create stronger patch management policies
- Enforce the principle of least privilege: implement URL categorization, network segmentation, and data categorization
- Proactively monitor your infrastructure: deploy firewalls as well as intrusion detection and prevention systems
- Regularly back up data and ensure its integrity
- Restrict or securely use the tools (i.e., PowerShell) used by your organization’s system administrators to deter their misuse
Trend Micro Solutions
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats like the above mentioned zero-day attacks even without any engine or pattern update. Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses unpatched vulnerabilities.
Given how many cyberespionage groups like Pawn Storm use email as an entry point, organizations need to secure the email gateway to mitigate threats they deliver. Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent malware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites, deliver several capabilities that minimize the threat’s impact.
These solutions are powered by the Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.