cyber espionage group has gained media attention by exploiting a Zero-day vulnerability in Microsoft’s Windows operating system to spy on the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year.
ZERO-DAY VULNERABILITY IN MICROSOFT WINDOWS
Researchers at cyber intelligence firm iSight Partners have discovered a zero-day vulnerability that impacts desktop and server versions of Windows, from Vista and Server 2008 to current versions. They also uncovered a latest cyber-spying campaign - suspected to be based in Russia - that uses this Zero-day vulnerability (CVE-2014-4114) to target government leaders and institutions for nearly five years.
The recently detected Russian hacking group is dubbed as "Sandworm Team" by iSIGHT Partners because it found references to the Frank Herbert's "Dune" science fiction series in the malicious software code used by the Russian hackers.
THE NOTORIOUS ZERO-DAY
The zero-day vulnerability is "An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server" that "allows an attacker to remotely execute arbitrary code," according to the report.
"The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files," iSight Partners writes. "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands."
The Russian hacking group is probably working for the government and has been active since at least 2009 and, according to iSight Partners, the cyber espionage campaign is still ongoing.
The intelligence firm began monitoring the hackers’ activity in late 2013 and discovered the zero-day vulnerability in late August. It "discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization" during the NATO summit in Wales, where member states discussed Russia’s actions in Ukraine.
"On September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012," iSight writes.
"A weaponized PowerPoint document was observed in these attacks. Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree."
MICROSOFT TO RELEASE PATCH SOON
The threat intelligence firm said it reported the critical zero-day vulnerability to the Microsoft Corp. and held off on disclosing the problem so that the software maker had time to fix the flaw.
Microsoft plans to release a patch for the vulnerability on Tuesday patch in security bulletin MS14-060, as part of its monthly “Patch Tuesday” — an organized release of patches to vulnerabilities in the company’s software. A Microsoft spokesman said the company plans to roll out an automatic update to the affected versions.