In contrast to the many high-profile data breaches being reported under various state or industry guidelines, cyberespionage of political targets (and the resulting loss of data) rarely gets reported. One example of such an attack is Danti, which is an APT that focuses primarily on government organizations in India.
Danti exploits CVE-2015-2545, which was announced and patched by Microsoft in September 2015. However, because of the low deployment rate of the patch by many organizations, the exploits targeting this vulnerability continues to be effective.
The team at Kaspersky Labs has written a detailed report on the evolution of the threat, from its initial use by the Platinum group in August 2015 to its current usage by several threat groups to attack targets in several countries in the Asia/Pacific region. The technique commonly used to penetrate a network is Spearphishing, which uses malicious code embedded in a document from a legitimate-looking source that once opened compromises the victim’s system.
From the Kaspersky Report: “The exploit is based on a malformed embedded EPS (Encapsulated Postscript) object. This contains the shellcode that drops a backdoor, providing full access to the attackers.”
The Kaspersky Lab’s report also illustrates how bad actors will continue to modify attack techniques to improve infection rates and avoid detection. The graphic below illustrates how several groups have developed separate attacks to target the vulnerability:
Impact on you
CVE-2015-2545 has been with us since September 2015, and MSFT released a fix in update MS15-099, also released in September. That’s the good news. The bad news is that vulnerability affects Microsoft Office versions:
- 2007 SP3
- 2010 SP2
- 2013 SP1 and 2013 RT SP1
In other words, there could be a lot of potentially vulnerable software running in your network. For those of you have deployed MS15-099, you get a gold star. Well done! For those of you who haven’t, your systems are at risk, especially those in government agencies in India, or targeted agencies in other countries like the Philippines, Myanmar and Nepal.
How AlienVault Helps
The AlienVault Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them. The Labs team regularly updates the rulesets that drive the threat detection, prioritization, and response capabilities of the AlienVault Unified Security Management (USM) platform, to keep you up to date with new and evolving threats.
The Labs team recently updated the USM platform’s ability to detect this new APT by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a compromised system.
From our weekly Threat Intelligence update:
Emerging Threat - APT.Danti
- Danti is an APT actor identified by Kaspersky Labs that has been active at least since 2015, predominantly targeting Indian government organizations. According to Kaspersky’s telemetry, Danti has also been actively hitting targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. During campaigns in February and March of 2016, the group has been exploiting CVE-2015-2545 via malicious Microsoft Office documents.
We've added IDS signatures and created the following correlation rule to detect Danti:
- System Compromise, Targeted Malware, APT.Danti
For more information on APTs, Phishing attacks, and other malware, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed.
Also, the integration between our OTX and your USM deployment means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network. The result is that USM customers are up to date on the latest threat vectors, attacker techniques and defenses.
These updates are included in the latest AlienVault Threat Intelligence update available now for USM users. Visit the AlienVault Forums to keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens!