Fancy Bear Is Spying On You

The Russians are blamed for a lot of things these days. And now, they are being linked to a phishing campaign that targets a government in Europe. The group called Fancy Bear (or APT28 or Sofacy), which is believed linked to the Kremlin, is suspected by researchers at Palo Alto Networks of exploiting a Flash vulnerability to deliver Trojan malware used to conduct espionage and surveillance.

The campaign was observed on March 12 and 14. What’s sneaky is that the exploit only loads when a particular page of a malicious document is viewed.

The group is using spear-phishing. It targets specific people or those within certain industries by using information gathered about them in other ways. Often information is gathered off social media or networking websites, such as LinkedIn. People post a lot of information on such sites and a lot can be learned about a person’s role in a company or their day-to-day tasks.

Always use caution about what you put up on social networking sites. Even if you have the security controls set to a strong setting, you should always consider anything you post on the Internet up for grabs for bad actors to view and use. That’s because no matter how secure we think we are being, once we put photos or text on social media, we have no control over who shares it. Once it is shared or copied, it can get sent through a complex web of Internet network points and there is no way to hide it or delete it.

Also, avoid clicking links or attachments in email messages that you are not expecting or that are from someone you don’t know. While malware can now even look like it comes from someone you know, it’s definitely worth doing a double check with the sender before opening links that are not expected.

In this case, a document is sent as a supposed Microsoft Word attachment with a subject line that many in business may find appealing: “Defence & Security 2018 Conference Agenda.” If the viewer scrolls down to the third page of the document, a malicious payload is launched by taking advantage of an unpatched Flash plugin.

So, while you’re pondering what you can remove from your LinkedIn profile and still have it remain effective, update your software, plugins, and anti-virus software to the latest patched versions. If you don’t need Adobe Flash (and most no longer do), just remove it altogether. If you aren’t sure, disable it for a while and see how it affects your browsing. If it doesn’t, you probably don’t need it at all and it can safely be removed.

Just because this one appears to affect those in the EU, it’s a good bet that something like this is already exploiting the same Flash vulnerability all around the world; perhaps by this group and maybe by another group. So, this should be taken seriously by all.

Stickley on Security
March 25, 2018