Note the Group Policy bypass to install a backdoor that was used to bypass PowerShell execution restrictions. http://www.securityweek.com/how-apt32-hacked-global-asian-firm-persistence
Wouldn't get to confident on this one. Re-read the last paragraph. After mitigation methods were put in place after the phishing e-mail incident, the attacker launched another attack which I assume was a 0-day exploit to install a backdoor to bypass the mitigations.
It had to get the back door somehow. Looked like it dropped some dll's. I also saw mention of Outlook Macros. All office macros are off and should stay that way. I also have a few other defenses.
In this particular example, the backdoor was installed by the opening of the phished e-mail. Once the backdoor was installed, any further mitigation attempts were fruitless. The main point is once a backdoor is installed, it is game over - period. Backdoors can be installed by malware by any method malware itself can be installed. Additionally, hidden/forgotten backdoors can exist in the OS and application software. If malware can find these backdoors, they can be exploited.
Some additional info about APT32 per FireEye: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html Some additional info on the Denis backdoor from Kaspersky: https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/
FYI - your highest likelihood of having a backdoor installed is from application software as noted by Cisco last year where 12 million computers were infected: http://www.securityweek.com/cisco-finds-backdoor-installed-12-million-pcs
Yeah, I read the article last night. For those who "brush off" phished e-mail, note the following excerpt from the article: As we all know to well, "the brass" is your best phishing target since universally they personally never do anything to mitigate their security risks. But without hesitation, they will blame the IT dept. for their carelessness resulting in the firing of at least "one token sacrifice" which by the way is never the CIO since he is a treasured golfing buddy of the brass.
Interesting... how did opening an email install something? (I didn't see any details in the report.) ---- rich
Well, that is different than just opening an email. The victim then has to open an attachment. It is a two-step attack. ---- rich
In theory, so called "next gen AV's" should be able to block and detect these kind of malware attacks. Blocking is of course the most important thing, because detection is probably a lot harder. Cybereason said it became a cat and mouse game, so this says enough about how deeply APT32 was infiltrated into the network. Even when they were blocked, they managed to infect the system once again, this was clearly no child's play.
Leaked Trump-Duterte transcript linked to more sensitive documents, APT32 https://www.scmagazine.com/vietname...d-to-sensitive-document-leaks/article/665471/