A just-announced zero-day flaw in Microsoft products is opening the door to a Russian cyber-espionage campaign. So far, the campaign has targeted NATO, the European Union, European telecommunications companies, energy firms in Poland, and a U.S. academic organization, according to cyber threat intelligence firm iSight Partners.
The firm on Tuesday announced a critical vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. With responsible disclosure in mind, iSight worked in close collaboration with Microsoft to disclose the flaw.
IT admins should look for CVE-2014-4114 to patch the issue, which iSight discovered in the wild in connection with a nefarious effort apparently tied to Russian criminals they have dubbed the Sandworm Team. iSight is calling the criminals “Sandworm” based on its use of encoded references to the classic science fiction series Dune in command and control URLs and malware samples it has discovered.
Spear-Phishing Attacks ID’d
“In late August, while tracking the Sandworm Team, iSight discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization,” iSight said in a blog post. “Notably, these spear-phishing attacks coincided with the NATO summit on Ukraine held in Wales.”
Fast forward to December and the firm’s research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows -- except XP -- and Windows Server 2008 and 2012. iSight observed a weaponized PowerPoint document used in the attacks. The firm said the use of this zero-day vulnerability “virtually guarantees” that all of those entities were victimized to some degree.
What caused the flaw? Working with Microsoft, iSight discovered that a dangerous method vulnerability exists in the OLE (object linking and embedding) package manager in the software. When exploited, the vulnerability allows an attacker to remotely execute arbitrary code. The vulnerability exists because Windows allows the OLE packager to download and execute INF files.
“In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources,” the report indicates. “This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands. An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it.”
A Silver Lining
Tim Erlin, director of IT risk and security strategy for advanced cyberthreat detection firm Tripwire, told us there’s a silver lining in the dark cloud. As he sees it, that silver lining is Microsoft’s quick fix that lets organizations take action to cut off this attack vector. Nevertheless, the dark cloud is still real.
“It appears that this cyber-espionage campaign has been running for years,” Erlin said. “We can plug the holes, but we can't retrieve the stolen intel. There will be follow-on effects from this bug, though linking them to this group or method may not be possible.”
What is entirely possible, is that this previously unknown vulnerability has also been used by other groups in other attacks, Erlin noted. Just because you're not one of the known targets doesn't mean you should take the patch lightly, he stressed.
“This kind of multi-pronged attack demonstrates the clear need for multiple defensive strategies,” Erlin concluded. “Organizations need to think about their security process all the way from the initial targeted user contact through getting the stolen data out of the building."
Posted: 2014-10-15 @ 1:03pm PT
The Problem lies in the use of Remote networks.
This has always been a problem.
I myself was a victim of a network consisting of gang members whose family members (regular citizens) were utilized.
This was in Sacramento California. The threat is Very Real. And the things they can do with ANY of your information are only limited to the imagination.
is to invent a program that recognizes ALL ports and Services that are included in the use of remote applications and log-ons, and that also identifies the BASIC-need programs, apps and services so that they can ALL be disabled, at ONCE or un-installed per request.
Otherwise, all systems are impregnable.
I'm not even a Cyber-genius or code writer, and I know this.
The other thing is also:
People need to be educated into NOT clicking on links or pictures, or even downloading "FREE" programs, etc. and should understand that there are those that know how to write commands that will lock-out the Owner/ User/ Administrator from making changes to his/her own computer or network, and can take complete control of it.
I hope U guys can make that happen (a Remote Connection Disabling/Un-installation app or program)