Sofacy AKA Sednit/APT28/Fancy Bear Malicious Payloads

February 21, 2015 | Garrett Gross

You’ve probably educated your users to not click on risky email attachments but what about Word files, spreadsheets or even PDFs? We send those all the time to our coworkers so how do we know what is legit and what isn’t? (Remember – one of the most visible breaches of our time (RSA 2011) started with a tainted Excel spreadsheet.)

We are seeing some especially tricky attacks these days related to the Sofacy (aka Sednit/APT28/Fancy Bear) threat group. One of their common tactics is to hide malicious payloads in Word documents, exploiting known vulnerabilities. Some other delivery mechanisms we have seen related to this group have been traditional spearphishing, website compromises, even redirects to a fake site designed to impersonate the user’s Outlook web mail portal.

This can impact you by causing:

  • Infected machines can spread the virus to critical systems and/or those that house sensitive data
  • Backdoor and/or Command & Control mechanisms can put you at even greater risk to future and further compromise
  • Possible destruction/exfiltration of data

AlienVault Unified Security Manager (USM) has vulnerability scanning built-in that can be scheduled to ensure continual awareness of things happening within your network.

Our AlienVault Labs team has already created several correlation rules and IDS signatures to spot activity related to this threat.

You can get more details on the latest USM threat intelligence updates here.

Garrett Gross

About the Author: Garrett Gross

Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.

Read more posts from Garrett Gross ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial