Attacks/Breaches

10/14/2014
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Russian Cyberspies Hit Ukrainian, US Targets With Windows Zero-Day Attack

The Sandworm cyber espionage gang out of Russia intensifies its attacks in the wake of the Ukrainian conflict and sanctions against Russia with classic zero-day -- plus a popular cybercrime toolkit.

The Russian cyber espionage and cybercrime worlds once again have collided in a newly discovered cyberspying campaign that uses a zero-day flaw found in all supported versions of Microsoft Windows.

Researchers at iSIGHT Partners, who have been tracking the so-called Sandworm cyber espionage team out of Russia and four other such teams there for some time, discovered the group using a previously unknown security weakness in Windows. Today, as part of its monthly patch cycle, Microsoft will issue a patch for the CVE-2014-4114 bug, which is found in Windows Vista; Windows versions 7, 8, and 8.1; and Windows Server 2008 and 2012.

The Sandworm gang is using the zero-day for the initial attack, which then drops a variant of the notorious BlackEnergy Trojan traditionally used by the pervasive Russian cybercrime underground. This intersection between nation-state spying and the criminal underground in Russia has been on the rise this past year, security experts say, with the attacks escalating in the wake of the Ukrainian conflict and sanctions by the US and others against Russia for its actions in Ukraine.

Among the targets of Sandworm are NATO, the Ukrainian government, a US think tank specializing in Russian issues, Polish government and energy entities, a French telecommunications firm, and a Western European government agency.

The group has been active since 2013, but the zero-day attack wasn't spotted by researchers monitoring the group until late August, when its attacks became more directed at Ukrainian and related targets, including the US think tank.

Sandworm is using the cyber espionage-style zero-day exploit embedded in a Microsoft Office file -- in this case, a PowerPoint presentation attachment -- in a spear-phishing attack campaign. The vulnerability, which is basically a weakness in Windows' OLE packaging function, rather than a traditional type of bug, allowed the attackers to run the infected PowerPoint file in animation mode, which triggers the flaw and ultimately infects the victim's machine as he or she views the PowerPoint. The user doesn't get the typical Office prompt asking whether to run animation in the file; it automatically runs.

"Normally, user interaction requires [these objects in Windows] to trigger," says Drew Robinson, a senior malware analyst with iSIGHT Partners. But all it takes is for the user to open the PowerPoint file, and the malware installs on the machine.

The cybercrime link used in these targeted attacks is the notorious BlackEnergy Trojan, which over the years has been used for everything from DDoS attacks to online bank fraud and, most recently, targeted attacks in cyber espionage campaigns. ESET researchers said late last month they had spotted BlackEnergy being used in attacks via malicious PowerPoint files, targeting organizations in Ukraine and Poland. F-Secure also has kept close tabs on the Russian cyberspying gang.

"As cybercrime becomes more commoditized, this excess intrusion capacity is finding its way into cyber espionage kinds of actions and capabilities," says Stephen Ward, senior director of marketing at iSIGHT. "This blurring of lines [also] gives them the ability to mask their attacks around cybercrime" and thus blend in with everyday malware attacks.

The intersection between cybercrime and cyber espionage has been evolving. Greg Hoglund, CEO of the new startup Outlier Security and the former CEO and founder of HBGary, says he has seen several cases of overlap between cyber espionage and cybercrime. "I had one case two years ago where there was a Zeus bot infection, and they [the victim organization] dismissed it as common malware," Hoglund says. "We examined the bot, and it had XLS, DOC, and all types of extensions specially [built] in plugins to grab those intellectual property documents. It was stealing [their] IP."

Microsoft would not elaborate on the new Windows zero-day found in the Sandworm attacks, except to confirm that the vulnerability will be among the patches issued today. "On October 14, as part of our Update Tuesday monthly process, we will release security bulletin MS14-060 to help protect customers," a Microsoft spokesperson said.

iSIGHT's Robinson says the flaw is "extremely easy to recreate," so it wouldn't be difficult for other attackers to exploit it, as well.

[New research from Symantec spots US and Western European energy interests in the bull's eye, but the campaign could encompass more than just utilities. Read Cyberspying Campaign Comes With Sabotage Option.]

Meanwhile, the Sandworm gang has been spotted attempting to steal all types of documents, SSL certificates, code-signing certificates, and user credentials. "We know they were successful with the Ukraine government. The server hosts they used had an intimate knowledge of their [the agency's] internal network already, and they were trying to regain access," Robinson says.

Dune Fans
Interestingly, the Russian hackers' affinity to the Dune science fiction series ultimately exposed them. They included Dune references in the BlackEnergy malware, which allowed the researchers to cross-correlate their command and control and view more of their operations.

Robinson says he and his team also were able to access a public-facing file directory the attackers left wide open, which in turn provided more clues that they were Russian speakers. "They put a lot of references to Dune in their URLs."

Sandworm is not the same Russian cyber espionage gang that's behind the Havex malware. That group, known as Energetic Bear/Dragonfly/Koala, unleashed attacks this year against US and other Western energy and oil operators by planting Trojan-rigged software updates on the websites of the targeted organizations' industrial control system (ICS) software vendors. Energetic Bear also is associated with attacks on pharmaceutical, construction, education, and IT firms, mainly in the US, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, and China.

Unlike Chinese cyber espionage groups, which often are organized by region or industry targets, Russian cyberspy gangs characteristically have a large amount of overlap in their operations.

iSIGHT Partners has posted an FAQ on the attack campaign and the Windows bug here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/14/2014 | 7:39:29 AM
Convergence of cybercrime and cyber espionage
Great reporting, Kelly. Do you think the "blurring of lines" is primarily related to tactics or do experts see a  greater danger of cyberspies and criminals actually teaming up? 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/14/2014 | 7:45:55 AM
Re: Convergence of cybercrime and cyber espionage
So far, they say it's a matter of convenience and availability: the reality that cybercrime groups are buying and selling access to infected machines like currency and there area a lot of surplus bots for sale at "bargain-basement prices," according to Outlier Security's Greg Hoglund as well as other security experts I've spoken to. There have been a few unconfirmed cases of nation-state's hiring criminal hackers...I don't know of one firsthand, but experts say such alliances are not out of the realm of possibilities. 

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/14/2014 | 9:01:55 AM
PowerPoint?
Another smart way of infecting local machines. It is very common and we all open PowerPoint and run it, that can most likely trigger and download or installation on the local matching without user confirmation. Hopefully Microsoft can come up with more rea-time updates strategies to beyond these types of problems to keep us safe.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/14/2014 | 9:03:49 AM
Re: Convergence of cybercrime and cyber espionage
I would think less of an alliance be but a natural convergence.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/14/2014 | 9:08:23 AM
Re: Convergence of cybercrime and cyber espionage
That may mean there is a market emerging, some would hack for fun but some would expect income out of it. Cross-country hacking strategies are most like supported by governments and  private security firms where obviously hey need to profit for the activities they do.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/14/2014 | 9:11:54 AM
Re: PowerPoint?
XP is the only version of Windows NOT affected by this bug. One advantage for XP holdovers. ;-)
Brian Bartlett
50%
50%
Brian Bartlett,
User Rank: Apprentice
10/14/2014 | 9:23:06 PM
Re: PowerPoint?
Some of us, I hope, are more paranoid than that. If I didn't ask for it, the message and attachment are nuked long before they land on a machine under my control. Yes, it slows things down by a few minutes but the price of doing business any other way is too high.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.