PiChris - Fotolia

Pawn Storm APT ramps up attacks after Google's zero-day disclosure

Roundup: Russia-based APT group Pawn Storm expands spear-phishing attacks after Google's disclosure of a Windows zero-day. Plus, OpenSSL updates, IoT security and more.

Spear-phishing attacks by a Russia-based advanced persistent threat group were observed to increase in the days after two zero-day vulnerabilities were disclosed by Google, calling into question Google's disclosure of a Windows kernel flaw before Microsoft was able to field a patch.

The APT group -- known variously as Pawn Storm, Fancy Bear, APT28 and Strontium -- is widely believed to be behind hacks of the Democratic National Committee and other political figures this year. While Adobe distributed an emergency security patch for the flaw in its Flash player before Google's disclosure, the fix for the security elevation vulnerability in Microsoft Windows was left unpatched for more than a week. It was finally fixed on Patch Tuesday this week.

"After the fix of CVE-2016-7855 in Adobe's Flash, Pawn Storm probably devalued the two zero-days in its attack tool portfolio," wrote senior threat researchers Feike Hacquebord and Stephen Hilt at IT security company Trend Micro Inc., based in Irving, Texas. "Instead of only using it against very high-profile targets, they started to expose much more targets to these vulnerabilities. We saw several campaigns against still-high-profile targets since October 28 until early November 2016."

According to the researchers, Pawn Storm sent spear-phishing emails in early November to governments around the world. "In one of Pawn Storm's campaigns on November 1, the subject line was 'European Parliament statement on nuclear threats.' The email seemingly came from a real press officer working for the media relations office of the European Union, but in reality, the sender email address was forged. Clicking on the link in the spear-phishing email led to the exploit kit of Pawn Storm."

Microsoft initially defended the delay, suggesting the Windows vulnerability could only be exploited against systems still vulnerable to the Adobe Flash use-after-free vulnerability that would enable attackers to remotely execute code and take control of affected systems. However, Terry Myerson, executive vice president at Microsoft's Windows and Devices Group, admitted in a blog post that Microsoft was aware of a "low-volume spear-phishing campaign" run by the threat actor it calls Strontium. At the same time, he stated users of the Microsoft Edge browser on the Windows 10 Anniversary Update were protected from versions of the exploit seen in the wild.

In other news:

  • After giving users three days to prepare, the OpenSSL project team released a new version, 1.1.0c, and recommended users upgrade as soon as possible. This update fixes three security flaws in version 1.1.0, including a heap-buffer-overflow vulnerability with a severity rating of high, which enables a denial-of-service (DoS) attack. The advisory read: "TLS connections using *-CHACHA20-POLY1305 cipher suites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS." This update follows a September patch release that aimed to fix over a dozen OpenSSL vulnerabilities.
  • BearSSL, a new fork of OpenSSL written entirely in the C programming language, could mean more secure internet-of-things (IoT) devices. BearSSL, authored by Canadian security expert Thomas Pornin, is an attempt to write a not-your-average version of OpenSSL. Pornin stripped the software library of legacy protocols, including the removal of all SSL support, and made it able to support TLS 1.0 and all its subsequent versions. The BearSSL implementation fits in 20 KB of compiled code and consumes only 25 KB of RAM, so while it can work for PC and mobile OSes, Pornin said he hopes it will be especially useful for IoT platforms. This bare-bones version of OpenSSL is meant to be a "portable library that focuses on embedded systems" by design.
  • Google continues to crack down on unsafe sites with its new "Repeat Offenders" tag as part of the Safe Browsing policy to flag deceptive embedded content. Now, sites that repeatedly violate Google's policies on malware, unwanted software, phishing and social engineering will be marked as Repeat Offenders, and the webmaster won't be able to request that the "unsafe" warning be dropped for 30 days -- something that could previously be done immediately and that malicious actors often took advantage of. "Over time, we've observed that a small number of websites will cease harming users for long enough to have the warnings removed, and will then revert to harmful activity," wrote Brooke Heinichen on the Google Security Blog. "As a result of this gap in user protection, we have adjusted our policies to reduce risks borne by end users."
  • In other Google news, HTTPS usage continues to increase steadily, especially among Chrome users. According to data shared in a Google Security Blog post, "more than half of pages loaded and two-thirds of total time spent by Chrome desktop users occur via HTTPS," and those numbers are expected to continue to rise. Google encourages all sites to migrate to HTTPS for secure web browsing -- a continuation of its push toward HTTPS.

Next Steps

Find out more about how the DNC hack raises questions on cyberattack attribution.

Learn about how malicious links enabled the Pawn Storm attacks on email accounts of Colin Powell, Clinton campaign.

Read about long-lived advanced persistent threat attacks.

Dig Deeper on Email and Messaging Threats-Information Security Threats