Delaware, USA – October 23, 2017 – Researchers from Proofpoint and Cisco Talos companies report on the growing activity of Fancy Bear group, also known as APT28. On October 18, researchers discovered a hastily planned attack on a number of companies in the US and Europe. Attackers sent MS Word documents containing ActiveX objects that exploited the vulnerability in Adobe Flash (CVE-2017-11292). This attack was detected in a few days after Adobe released patch that closes this vulnerability. According to Proofpoint, hackers distributed DealerChoicemalware that was previously used in another campaign. This may indicate that recent campaign was planned hurriedly: adversaries sought to infect the victims before they install the latest Adobe Flash updates.
On Sunday, October 22, Cisco Talos reported another attack of the same group, in which the new version of Seduploader was distributed via malicious emails with VBA macros. This attack targeted people that are linked or interested in the conference on cyberwar, which will be held in the first half of October in Washington.
Most adversaries’ attacks target MS Windows systems. Therefore it is necessary to closely monitor security events associated with this OS and Active Directory. You can use Windows Security Monitor for ArcSight, QRadar and Splunk to profile security events and detect any suspicious activity on Windows-based systems.