Cybersecurity firm iSight Partners this week revealed that a cybergang it dubbed “Sandworm” has been exploiting a zero-day vulnerability that impacts all supported versions of Microsoft Windows, including Windows Server 2008 and 2012.
The announcement was held off until Microsoft issued its patch for the vulnerability, CE-2014-4114, earlier this week.
If exploited, the flaw will let attackers remotely execute code on target systems.
The cybergang hit NATO, government organizations in the Ukraine and Western Europe, a Polish energy firm, a French telecommunications company, and academic organizations in the United States, iSight said.
Come On, Paskudnyak
The attacks constitute a Russian cyberespionage campaign, according to iSight.
Nyet, said Alex Gostev, chief security expert at Kaspersky Lab’s global research and analysis team.
“Cybercriminals may leave traces indicating that they speak a certain language or belong to a certain ethnic group in order to mislead investigators,” he argued. Many people in post-Soviet countries communicate in Russian, especially in the IT industry, so iSight’s conclusion is “ill-advised.”
However, “all the victims have something in common,” Timo Hirvonen, senior researcher at F-Secure, told TechNewsWorld. “They are all apparently not friends with Russia.”
Further, the group “was very targeted and sophisticated in its methods,” and that’s “typical of a professional government or nation-state mission,” Philip Lieberman, president of Lieberman Software, pointed out.
Details of the Attack
iSight has been tracking Sandworm since 2013. The gang uses various tactics, including spearphishing (sending malicious document attachments to targets), BlackEnergy malware, and exploits of the Microsoft zero-day flaw. Its attacks are tied to geopolitical issues related to Russia.
Sandworm hit Nato and attendees of the Globsec security forum with exploits other than the zero-day attack.
It used several types of attacks against a Western European government in June, and it hit the French telecoms firm with a variant of BlackEnergy. The Windows zero-day attack was used against the Polish company.
Some of the Sandworm activities were spotted by F-Secure, which named the group “Quedagh.” F-Secure said in September that Quedagh was using the BlackEnergy malware to steal information from governmental organizations.
“Getting complete visibility on all activities a group is involved in is quite a challenge,” Liam O Murchu, senior manager at Symantec, told TechNewsWorld. “It’s not unusual to discover a group targeting one organization but later discover they are targeting others as well.”
The Threat Posed by the Windows Vulnerability
The OLE package manager vulnerability lets attackers send poisoned Microsoft office document to targets, O Murchu said. When a target opens and reads the document, the vulnerability will allow other files to be downloaded and executed without the victim’s knowledge.
“This is a severe error in the operating system that could affect a lot of users,” Lieberman told TechNewsWorld.
However, now that it has been disclosed, most users will be able to mitigate the threat using Windows Update.
Microsoft’s Patch
Microsoft rates the security update important for all supported releases of Windows excluding Windows server 2003.
Its patch modifies the way OLE objects are activated in Windows.
The average user likely would not need to be overly concerned, because “this type of work would not be used to launch an attack on the general population of users on the Internet,” Lieberman remarked. Nation-states “only use their highest value assets against high-value targets,” as their resources are limited.
Why Spearphishing Still Works
Spearphishing is not a new tactic. Reams of copy have been written about its dangers, warning people to not click on links in, or attachments to, unsolicited emails if they want to avoid falling prey to a spearphishing attack.
Yet it remains a successful tactic.
“There are many people out there who don’t realize that documents in general can be malicious,” F-Secure’s Hirvonen said. “It’s a matter of [user] education.”