US-CERT just released more information about the Grizzly Steppe cybercrime group who has been fingered for hacking the DNC and US voter registration databases. The short report, titled Enhanced Analysis of GRIZZLY STEPPE Activity, makes interesting reading, especially if you are interested in finding out more about state-sponsored political espionage. See pages 4-7 for the main story.
The Grizzly Steppe group is certainly continuing operations, and are not necessarily limiting their efforts to the political arena. They may come knocking on your door sometime this year. If not this group, then perhaps another one.
The following methods, attack vectors, and exploits are used by this group and others to compromise business systems and networks. If you are tasked with protecting one of these networks, or are just wanting to understand the game and how it is played, this report will help you understand the tactics of your adversary.
Reconnaissance
- The use of near misspellings of popular domains in phishing emails, such as gmaill.com instead of gmail.com. These are known as typo-squatting or doppleganger domains.
- Phishing emails with links that resolve web pages with fake login forms to collect user names and passwords, or other forms to collect other types of personal information for identity impersonation attacks.
- Network scanning attacks against web servers to find exploitable SQL injection or cross-site scripting vulnerabilities.
Weaponization
- Inserting malicious code into legitimate files.
- “Watering hole” attacks from websites compromised with malicious downloads.
- Malicious macros in MS Office documents.
- Rich Text (RTF) files with embedded malicious Flash code.
Exploitation – via the following vulnerabilities.
- CVE-2016-7855: Adobe Flash Player Use-After-Free Vulnerability
- CVE-2016-7255: Microsoft Windows Elevation of Privilege Vulnerability
- CVE-2016-4117: Adobe Flash Player Remoted Attack Vulnerability
- CVE-2015-1641: Microsoft Office Memory Corruption Vulnerability
- CVE-2015-2424: Microsoft PowerPoint Memory Corruption Vulnerability
- CVE-2014-1761: Microsoft Office Denial of Service (Memory Corruption)
- CVE-2013-2729: Integer Overflow in Adobe Reader and Acrobat vulnerability
- CVE-2012-0158: ActiveX Corruption Vulnerability for Microsoft Office
- CVE-2010-3333: RTF Stack Buffer Overflow Vulnerability for Microsoft Office
- CVE-2009-3129: Microsoft Office Compatibility Pack for Remote Attacks
Installation
- Via PHP web shells
- Executable files
- Malicious RTF files and Office macros.
Solutions include vigilance, vulnerability testing, penetration testing, network monitoring, traffic analysis, and cybersecurity awareness training. This report has dozens of pages of technical information including code samples and mitigation guidance. If any part of your job is cybersecurity, you should give this report a look.
More information
- US-CERT Enhanced Analysis of GRIZZLY STEPPE Activity
- US-CERT GRIZZLY STEPPE – Russian Malicious Cyber Activity
Share
MAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com