Russian hackers exploit Windows and Flash vulnerabilities

FireEye has uncovered new zero-day exploits in both Adobe Flash and Microsoft Windows that are likely to have been used by a widespread Russian cyber espionage campaign.

Both exploits were outlined by FireEye over the weekend in a report that accuses the advanced persistent threat group (APT) known as APT28 that operates out of Russia of exploiting the two vulnerabilities.

Attackers can take advantage of the Flash exploit (CVE-2015-3043) when a victim clicks on a link to a malicious website controlled by attackers. Once on a site an HTML.JS launcher page serves the Flash exploit and this then triggers CVE-2015-3043 that executes shellcode and runs an executable payload on a Windows system. That payload then triggers the previously unreported Windows flaw, CVE-2015-1701, which is able to steal system tokens.

That very Windows flaw is a local privilege escalation vulnerability that executes a callback using the flaw to steal data from the System process before executing code using escalated privileges. Attackers can then modify their stolen system tokens to have the exact same privileges as the System process.

Is there a fix?

FireEye first reported on APT28 back in October and it has linked the current campaign to them by explaining that the exploit brings malware variants similar to APT28 backdoors from malware families it has employed in the past.

Microsoft is currently working on a fix for the vulnerability that doesn’t affect Windows 8 or later and Adobe Flash users should update to the newest version of the software to prevent any problems arising.