So, Microsoft and iSIGHT uncovered another 0-day vulnerability; this time
impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. iSIGHT has detailed in the wild exploits of the vulnerability, and points the finger of suspicion at state-sponsored Russian interests. The Dallas-based cybersecurity outfit explained that the exploit (dubbed Sandworm) showed visibility targeting Ukranian government organisations, Polish energy businesses and US academic organisations as well as NATO itself, and warned that there is an obvious potential for much broader targeting from the same and new threat actors.
The researchers have been tracking at least five distinct Russia-based intrusion teams according, one of which was based around mobile malware use and targeted US and European intelligence communities as well as jihadists and rebels in Chechnya. The Sandworm Team, however, has been active through late 2013 and throughout 2014 targeting victims with specific lures related to the Ukranian conflict via 'traditional' spear phishing techniques involving malware infected document attachments. The newly observed Microsoft Windows 0-day is the latest weapon to be deployed.
iSIGHT has seen evidence of the group attacking NATO with other exploits during December 2013, and more recently with spear-phishing attacks during the NATO summit on Ukraine held in Wales. In September it spotted that the spear-phishing attacks were reliant upon exploitation of this new 0-day vulnerability which impacted all supported versions of Microsoft Windows (from Vista SP2 to Windows 8.1) and Windows Server 2008 and 2012 and weaponised with an infected PowerPoint document. Note the use of the phrase 'supported versions' as the evidence would appear to suggest that Windows XP platforms were not impacted by this exploit.
This doesn't mean that using Windows XP is a safe or secure thing to do, only that in this case it was not targeted by the bad guys. It just serves to highlight that all versions of Windows are open to exploitation of 0-day vulnerabilities and that those tasked with defending systems and data need to be vigilant at all times.
If you haven't yet applied the last round of patching from Microsoft which went live last Tuesday, you might want to do so though. A patch for Sandworm was included as part of this, courtesy of the responsible disclosure methods employed by iSIGHT. Over a period of five weeks the company worked with Microsoft to track and monitor the exploitation, and to develop a fix. The evidence suggests this worked well, as researchers have seen nothing to suggest that the existence of this particular 0-day was known outside of the Sandworm team and as a result only they were exploiting it.
Tim Erlin, director of risk strategy for security outfit Tripwire was not surprised by any of this, stating "It’s simply not surprising that this kind of activity has been going on. Russia, the United States, Britain and others have long histories of very strong and effective spy organizations. There should be little surprise that these groups have continued their missions through the boom of technology." He also admits that "defending against such a targeted attack is extremely difficult" and agrees that "when the attacker is willing to spend significant resources to compromise you specifically, the playing field can be very uneven. As an industry, we tend to focus on the many broad threats that exist, but these kinds of targeted and sophisticated campaigns may actually do more damage.”