US-CERT Releases More About Grizzly Steppe

US-CERT just released more information about the Grizzly Steppe cybercrime group who has been fingered for hacking the DNC and US voter registration databases.  The short  report, titled Enhanced Analysis of GRIZZLY STEPPE Activity, makes interesting reading, especially if you are interested in finding out more about state-sponsored political espionage.  See pages 4-7 for the main story.

The Grizzly Steppe group is certainly continuing operations, and are not necessarily limiting their efforts to the political arena.  They may come knocking on your door sometime this year.  If not this group, then perhaps another one.

The following methods, attack vectors, and exploits are used by this group and others to compromise business systems and networks.  If you are tasked with protecting one of these networks, or are just wanting to understand the game and how it is played, this report will help you understand the tactics of your adversary.

Reconnaissance

  • The use of near misspellings of popular domains in phishing emails, such as gmaill.com instead of  gmail.com.  These are known as typo-squatting or doppleganger domains.
  • Phishing emails with links that resolve web pages with fake login forms to collect user names and passwords, or other forms to collect other types of personal information for identity impersonation attacks.
  • Network scanning attacks against web servers to find exploitable SQL injection or cross-site scripting vulnerabilities.

Weaponization 

  • Inserting malicious code into legitimate files.
  • “Watering hole” attacks from websites compromised with malicious downloads.
  • Malicious macros in MS Office documents.
  • Rich Text (RTF) files with embedded malicious Flash code.

Exploitation – via the following vulnerabilities.

  • CVE-2016-7855: Adobe Flash Player Use-After-Free Vulnerability
  • CVE-2016-7255: Microsoft Windows Elevation of Privilege Vulnerability
  • CVE-2016-4117: Adobe Flash Player Remoted Attack Vulnerability
  • CVE-2015-1641: Microsoft Office Memory Corruption Vulnerability
  • CVE-2015-2424: Microsoft PowerPoint Memory Corruption Vulnerability
  • CVE-2014-1761: Microsoft Office Denial of Service (Memory Corruption)
  • CVE-2013-2729: Integer Overflow in Adobe Reader and Acrobat vulnerability
  • CVE-2012-0158: ActiveX Corruption Vulnerability for Microsoft Office
  • CVE-2010-3333: RTF Stack Buffer Overflow Vulnerability for Microsoft Office
  • CVE-2009-3129: Microsoft Office Compatibility Pack for Remote Attacks

Installation

  • Via PHP web shells
  • Executable files
  • Malicious RTF files and Office macros.

Solutions include vigilance, vulnerability testing, penetration testing, network monitoring, traffic analysis, and cybersecurity awareness training.  This report has dozens of pages of technical information including code samples and mitigation guidance.  If any part of your job is cybersecurity, you should give this report a look.

More information

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment