Russian hackers exploit Windows zero-day flaw to target Ukraine, US organizations

The vulnerability allows for arbitrary code execution and affects many versions of Windows and Windows Server

A cyberespionage group operating out of Russia has launched malware attacks against the Ukrainian government and at least one U.S.-based organization through a previously unknown vulnerability that affects most versions of Windows.

The group, which has been dubbed the Sandworm team, has been actively attacking organizations like the NATO alliance, energy firms and telecommunication companies since 2013, but its latest campaign leveraging the new Windows zero-day flaw was identified in late August by researchers from security firm iSight Partners.

The company made some of its findings public early Tuesday in coordination with Microsoft, which plans to release a patch for the vulnerability later in the day.

The attack used spear-phishing emails containing a malicious PowerPoint document that was created to exploit the new vulnerability. The campaign coincided with the NATO summit in Wales that focused on the conflict in Ukraine, the iSight researchers said in a blog post.

"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree," the researchers said.

After the exploit was shared with Microsoft in early September, it was determined that the vulnerability is located in the Object Linking and Embedding (OLE) package manager and that it affects all versions of the Windows operating system from Vista Service Pack 2 to Windows 8.1, as well as Windows Server 2008 and 2012.

"The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files," the iSight researchers said. "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packager allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources."

Attackers can leverage this vulnerability to execute arbitrary code, but will need to trick users to open a specifically crafted file first by using social engineering techniques, something that was observed in this campaign.

"Although the vulnerability impacts all versions of Microsoft Windows -- having the potential to impact an enormous user population -- from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team," the iSight researchers said. Nevertheless, Windows administrators should apply the patch "as soon as humanly possible" once it becomes available, as the flaw has potential to be exploited by other attackers, the researchers said.

"Whilst the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information," said Gavin Millard, EMEA technical director at Tenable Network Security, via email. "When zero day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftmalwarespywarepatchesExploits / vulnerabilitiesTenable Network SecurityiSight Partners

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?