Menu
Russian hackers exploit Windows zero-day flaw to target Ukraine, US organizations

Russian hackers exploit Windows zero-day flaw to target Ukraine, US organizations

The vulnerability allows for arbitrary code execution and affects many versions of Windows and Windows Server

A cyberespionage group operating out of Russia has launched malware attacks against the Ukrainian government and at least one U.S.-based organization through a previously unknown vulnerability that affects most versions of Windows.

The group, which has been dubbed the Sandworm team, has been actively attacking organizations like the NATO alliance, energy firms and telecommunication companies since 2013, but its latest campaign leveraging the new Windows zero-day flaw was identified in late August by researchers from security firm iSight Partners.

The company made some of its findings public early Tuesday in coordination with Microsoft, which plans to release a patch for the vulnerability later in the day.

The attack used spear-phishing emails containing a malicious PowerPoint document that was created to exploit the new vulnerability. The campaign coincided with the NATO summit in Wales that focused on the conflict in Ukraine, the iSight researchers said in a blog post.

"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree," the researchers said.

After the exploit was shared with Microsoft in early September, it was determined that the vulnerability is located in the Object Linking and Embedding (OLE) package manager and that it affects all versions of the Windows operating system from Vista Service Pack 2 to Windows 8.1, as well as Windows Server 2008 and 2012.

"The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files," the iSight researchers said. "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packager allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources."

Attackers can leverage this vulnerability to execute arbitrary code, but will need to trick users to open a specifically crafted file first by using social engineering techniques, something that was observed in this campaign.

"Although the vulnerability impacts all versions of Microsoft Windows -- having the potential to impact an enormous user population -- from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team," the iSight researchers said. Nevertheless, Windows administrators should apply the patch "as soon as humanly possible" once it becomes available, as the flaw has potential to be exploited by other attackers, the researchers said.

"Whilst the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information," said Gavin Millard, EMEA technical director at Tenable Network Security, via email. "When zero day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityiSight PartnersTenable Network SecurityspywareExploits / vulnerabilitiesmalware

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments