FireEye's Labs team just published a detailed blog outlining the use of yet more zero-day exploits by what we believe may be Russian nation-state sponsored threat actors. The technical details are interesting, but if you're not fluent in the ins-and-outs of exploit research it might be hard to see the forest through the trees. Here's a quick run down of what we reported:
- Attackers are using a pair of zero day exploits (one in Adobe Flash, one in Windows) to target a specific foreign government organization.
- While we're not able at this time to comment on the shape of the victim organizations, we can say these attacks have markers consistent with those reported in our recent APT 28 report: https://www2.fireeye.com/apt28.html.
- Adobe released a patch for their software on Tuesday and Microsoft is working on a fix.
I know, I know - "so the Russians may still be hacking organizations of interest to them and using zero day exploits in the process. YAWN." I realize this news, in and of itself, may not be that dramatic to those of us that live in the trenches. However, events like this inevitably start a public dialog. That dialog is healthy and serves to remind organizations about the new normal that we all have to adapt to, namely:
1) Bad guys are forever. Nation states target both public and private organizations to get what they want to further their national strategies. Expect more reports like this...and more ugly headlines about significant breaches...in the future.
2) Nation states have significant capabilities to discover and/or purchase information about zero day exploits for important software packages that every organization uses. These exploits are used to take the things that are important to you and your organization. If you think you aren't a target, think again.
3) Whatever a nation state uses today, organized crime will use tomorrow and hacktivists will use the day after that. "Cyber weapons" (if you will pardon the hyperbole) proliferate much faster than those in the physical realm. The rising tide raises all ships. Expect to see these exploits everywhere and anywhere sometime soon.
4) To protect yourself you need to be agile, adaptive and resilient. You can't just sit back and protect yourself from the attack that happened last week. You need to be prepared for the attack that's coming next week, which may use new techniques, exploits, technologies, approaches, etc. The bad guys innovate as much (or more) than you do. You cannot sit back using a staid approach from 1995 (or 2005, or 2010, or...well, you get the idea). Adaptive organizations will deal with this threat as a normal course of business, quickly identify any potential breaches, and respond in minutes (not days, or months), returning their organization back to a normal operating cadence. Sound like your organization? If it's not you have some work to do.
It's the new normal. Or maybe I should say The New Normal™. This isn't going to stop. It will get worse before it gets better (if it ever gets better). Sorry to be such a downer, but I'm blogging on a Saturday. One would think the Russians would be more polite. OK, maybe not.