A vulnerability which affects all versions of Microsoft Windows is being used in a Russian cyber-espionage campaign which targets NATO, the European Union and critical sectors.
According to research by iSIGHT Partners the vulnerability, which impacts all supported versions of Microsoft Windows and Windows Server 2008 and 2012, and a patch will be made available today. The research found that exploitation of the vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributed to Russia. When exploited, the vulnerability allows an attacker to remotely execute arbitrary code.
Named Sandworm, iSIGHT Partners said it is actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. “We are tracking active campaigns by at least five distinct intrusions teams,” it said.
“We are attributing this particular cyber espionage campaign to a different intrusion team that iSIGHT has dubbed ‘Sandworm Team’ based on its use of encoded references to the science fiction series Dune in command and control URLs and various malware samples.
“iSIGHT Partners has been monitoring the Sandworm Team’s activities from late 2013 and throughout 2014 – the genesis of this team appears to be around 2009. The team has recently used multiple exploit methods to trap its targets including the use of BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed Microsoft Windows zero-day.”
The company claimed that while it has not observed details on what data was exfiltrated in this campaign, it said that the use of this zero-day vulnerability virtually guarantees that all of those entities who were targeted, fell victim to some degree.
Research by F-Secure, who named the group “Quedagh”, said it has a history of targeting political organisations and it suspected that they were involved in attacks launched against Georgia in 2008.
Gavin Millard, EMEA technical director at Tenable Network Security, said: “Whilst the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information.
“What’s most interesting with Sandworm is not the attack vector itself but the lack of detection of subsequent indicators of compromise in the organisations allegedly affected by it. The need to continuously monitor the environment to detect malicious activities and indicators of misuse is paramount to defend against this or any other zero day exploit.”
