A number of senior cyber security pros were in for an embarrassment after it came to light that they fell for a phishing scam conducted by Fancy Bear, a Russian hacker group.
Fancy Bear used a malicious code in a Word document that it sent to cyber security pros who were to attend the Cyber Conflict US conference.
The cyber security conference, named the 2017 International Conference on Cyber Conflict U.S., will be hosting a number of cyber security professionals as well as senior military and government officials engaged in cyber security between 7-8 November, including Keith Alexander, former director of the NSA, and Paul Nakasone, commanding general of the US Army’s Cyber Command.
On Monday, security firm Cisco Talos announced that it has discovered a sophisticated phishing operation carried out by Russian hacker group Fancy Bear and targeted at cyber security professions attending the cyber security conference in November.
According to Cisco Talos, Fancy Bear posed as an event organiser and sent an email to the targeted individuals with a detailed itinerary of the conference which they lifted from the conference website. The emails contained a Word document titled “Conference_on_Cyber_Conflict.doc” that contained a well-known reconnaissance malware dubbed ‘Seduploader’.
The firm added that the Russian hackers didn’t use any exploit or zero-day codes but simply used scripting language embedded within the Microsoft Office document. This could have been done to shield their real exploits from cyber security researchers who would otherwise spot them and apply patches to render them useless.
At the same time, the hackers also took steps to avoid detection by researchers like making small updates after publications from the security community and changing the XOR key and the MUTEX name to ensure they weren’t exposed.
Talking about the Seduploader malware, Cisco Talos said that it has been in use by Fancy Bear for years and is composed of 2 files: a dropper and a payload. ‘The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys… We assume that these modifications were performed to avoid detection based on public IOCs,’ the researchers said.
‘Fancy Bear targeted cybersecurity professionals for good reason – they are privy to huge amounts of vital data. These conferences are attended by large enterprises, security vendors, and government bodies, making them a huge payload for any hacker. This information could be used for espionage, or worse, to gain political advantage,’ says Fraser Kyne, EMEA for CTO at Bromium.
‘This was a fairly rudimentary phishing attack, against people that should be able to spot the tell-tale signs of a cyberattack, and yet it still worked. Why? Because we rely on education, detection tools, and users to defend our networks – an approach that we see failing time after time.
‘Virtualisation-based application isolation and containment is the only way to do this. By allowing malware to execute, but doing so in a contained virtual machine, hackers have no means of causing harm – they cannot get onto the network, install a backdoor, or exfiltrate data. It is only by taking a radically new approach that we will ever start to effect any change,’ he adds.