A targeted attack campaign that is believed to be state sponsored and uses Adobe and Windows zero-day vulnerabilities to infect victims' systems has been uncovered by researchers at FireEye.
FireEye reported uncovering the "RussianDoll" campaign in a threat advisory, warning it has marked similarities to previously discovered state-sponsored APT28 attacks. APT28 is a cyber espionage group tied to the Russian government.
"Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers detected a pattern of attacks beginning on April 13th, 2015," read the advisory.
"Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity."
FireEye is yet to disclose the target organisation's identity, but has said it is "an international government entity in an industry vertical that aligns with known APT28 targeting".
The attack reportedly works using a sophisticated five-stage strategy that uses a patched flaw in Adobe Flash and unpatched bug in Microsoft's Windows 7 and below operating system to steal information.
The strategy sees the attackers target victims with messages containing links to a malicious websites that when clicked act as an HTML/JS launcher page that serves and triggers the Flash exploit.
Once launched the attack executes a shellcode that downloads and runs an executable payload that leads to local privilege escalation (CVE-2015-1701) and lets the hackers steal a system token.
This reportedly lets the hackers gain increased access to the system and makes it easy for them to take follow-on actions and steal information from the victim.
While the attack is currently believed to have a very limited focus, FireEye CTO Dave Merkel warned it is only a matter of time before run-of-the-mill cyber criminals learn from it and use the technique in their own schemes.
"If you think you aren't a target, think again. Whatever a nation state uses today, organised crime will use tomorrow and hacktivists will use the day after that. ‘Cyber weapons' proliferate much faster than those in the physical realm," he wrote in a blog post.
"The rising tide raises all ships. Expect to see these exploits everywhere and anywhere sometime soon.
"You cannot sit back using a staid approach from 1995 (or 2005, or 2010, or...well, you get the idea). This isn't going to stop. It will get worse before it gets better (if it ever gets better)."
Microsoft is currently working on a patch fix to plug the flaw being used in the attack. FireEye recommended businesses using Adobe and Microsoft install the patches as soon as possible.
The campaign's discovery follows widespread reports firms are operating overly lax patch update policies. Verizon listed poor patching practices as a key reason why one in four phishing scams is successful in its Data Breach Investigations Report earlier in April.
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Successful attack could result in harm to patients and financial loss, warns NHS governing body