Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED ABOUT A MINUTE AGO.
You are here: Home / Network Security / Russian Hackers Tap Windows Flaw
Russian Spies Tap Zero-Day Flaw in Microsoft Software
Russian Spies Tap Zero-Day Flaw in Microsoft Software
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
OCTOBER
14
2014
A just-announced zero-day flaw in Microsoft products is opening the door to a Russian cyber-espionage campaign. So far, the campaign has targeted NATO, the European Union, European telecommunications companies, energy firms in Poland, and a U.S. academic organization, according to cyber threat intelligence firm iSight Partners.

The firm on Tuesday announced a critical vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. With responsible disclosure in mind, iSight worked in close collaboration with Microsoft to disclose the flaw.

IT admins should look for CVE-2014-4114 to patch the issue, which iSight discovered in the wild in connection with a nefarious effort apparently tied to Russian criminals they have dubbed the Sandworm Team. iSight is calling the criminals “Sandworm” based on its use of encoded references to the classic science fiction series Dune in command and control URLs and malware samples it has discovered.

Spear-Phishing Attacks ID’d

“In late August, while tracking the Sandworm Team, iSight discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization,” iSight said in a blog post. “Notably, these spear-phishing attacks coincided with the NATO summit on Ukraine held in Wales.”

Fast forward to December and the firm’s research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows -- except XP -- and Windows Server 2008 and 2012. iSight observed a weaponized PowerPoint document used in the attacks. The firm said the use of this zero-day vulnerability “virtually guarantees” that all of those entities were victimized to some degree.

What caused the flaw? Working with Microsoft, iSight discovered that a dangerous method vulnerability exists in the OLE (object linking and embedding) package manager in the software. When exploited, the vulnerability allows an attacker to remotely execute arbitrary code. The vulnerability exists because Windows allows the OLE packager to download and execute INF files.

“In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources,” the report indicates. “This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands. An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it.”

A Silver Lining

Tim Erlin, director of IT risk and security strategy for advanced cyberthreat detection firm Tripwire, told us there’s a silver lining in the dark cloud. As he sees it, that silver lining is Microsoft’s quick fix that lets organizations take action to cut off this attack vector. Nevertheless, the dark cloud is still real.

“It appears that this cyber-espionage campaign has been running for years,” Erlin said. “We can plug the holes, but we can't retrieve the stolen intel. There will be follow-on effects from this bug, though linking them to this group or method may not be possible.”

What is entirely possible, is that this previously unknown vulnerability has also been used by other groups in other attacks, Erlin noted. Just because you're not one of the known targets doesn't mean you should take the patch lightly, he stressed.

“This kind of multi-pronged attack demonstrates the clear need for multiple defensive strategies,” Erlin concluded. “Organizations need to think about their security process all the way from the initial targeted user contact through getting the stolen data out of the building."

Tell Us What You Think
Comment:

Name:

Joe:
Posted: 2014-10-15 @ 1:03pm PT
The Problem lies in the use of Remote networks.

This has always been a problem.

I myself was a victim of a network consisting of gang members whose family members (regular citizens) were utilized.

This was in Sacramento California. The threat is Very Real. And the things they can do with ANY of your information are only limited to the imagination.

The SOLUTION:
is to invent a program that recognizes ALL ports and Services that are included in the use of remote applications and log-ons, and that also identifies the BASIC-need programs, apps and services so that they can ALL be disabled, at ONCE or un-installed per request.

Otherwise, all systems are impregnable.

I'm not even a Cyber-genius or code writer, and I know this.

The other thing is also:
People need to be educated into NOT clicking on links or pictures, or even downloading "FREE" programs, etc. and should understand that there are those that know how to write commands that will lock-out the Owner/ User/ Administrator from making changes to his/her own computer or network, and can take complete control of it.

I hope U guys can make that happen (a Remote Connection Disabling/Un-installation app or program)

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY
CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.