A zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012 has been discovered and announced today by iSIGHT Partners in collaboration with Microsoft. A patch will be made available for the vulnerability on Tuesday, October 14.
Exploitation of the CVE-2014-4114 vulnerability has been reportedly discovered in the wild in connection with a cyber espionage campaign that iSIGHT Partners has attributed to Russia. The zero-day vulnerability is being claimed to have been used in early September in which the attackers used the exploit to infect victims with malicious attachments, primarily PowerPoint files.
Although the attackers used PowerPoint as its attack vector, the vulnerability is in the OLE package manager in Microsoft Windows and Server. The OLE packager (packager .dll) is able to download and execute external files like INF, allowing the attacker to execute commands.
Known targets for the group targeting the vulnerability include campaigns against:
- Ukrainian government organizations
- Western European government organization
- Energy Sector firms (specifically in Poland)
- European telecommunications firms
- United States academic organizations
It is being reported that Sandworm’s goal is gaining access to documents and intelligence regarding Ukraine and Russia amongst other information, as well as seeking SSL keys and code-signing certificates.
iSIGHT claims the campaigns go back to December 2013 where the NATO alliance was targeted by the group. Other firms, such as F-Secure and ESET, have also researched the same group and revealed they were using a tool called Black Energy, a spam and bank fraud utility used to compromise systems and steal data.
The group has also reportedly used at least five other older vulnerabilities in their attacks with many times chaining exploits as they move through networks.
So far the actual zero-day vulnerability is successfully exploited through PowerPoint, or other attachments. There has not been any indication that the initial exploit attack vector is remote, so it relies on social engineering or tactic to get a file with the malicious code to execute.