Russian hackers exploit Windows zero-day flaw to target Ukraine, US organizations

The vulnerability allows for arbitrary code execution and affects many versions of Windows and Windows Server

A cyberespionage group operating out of Russia has launched malware attacks against the Ukrainian government and at least one U.S.-based organization through a previously unknown vulnerability that affects most versions of Windows.

The group, which has been dubbed the Sandworm team, has been actively attacking organizations like the NATO alliance, energy firms and telecommunication companies since 2013, but its latest campaign leveraging the new Windows zero-day flaw was identified in late August by researchers from security firm iSight Partners.

The company made some of its findings public early Tuesday in coordination with Microsoft, which plans to release a patch for the vulnerability later in the day.

The attack used spear-phishing emails containing a malicious PowerPoint document that was created to exploit the new vulnerability. The campaign coincided with the NATO summit in Wales that focused on the conflict in Ukraine, the iSight researchers said in a blog post.

"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree," the researchers said.

After the exploit was shared with Microsoft in early September, it was determined that the vulnerability is located in the Object Linking and Embedding (OLE) package manager and that it affects all versions of the Windows operating system from Vista Service Pack 2 to Windows 8.1, as well as Windows Server 2008 and 2012.

"The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files," the iSight researchers said. "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packager allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources."

Attackers can leverage this vulnerability to execute arbitrary code, but will need to trick users to open a specifically crafted file first by using social engineering techniques, something that was observed in this campaign.

"Although the vulnerability impacts all versions of Microsoft Windows -- having the potential to impact an enormous user population -- from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team," the iSight researchers said. Nevertheless, Windows administrators should apply the patch "as soon as humanly possible" once it becomes available, as the flaw has potential to be exploited by other attackers, the researchers said.

"Whilst the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information," said Gavin Millard, EMEA technical director at Tenable Network Security, via email. "When zero day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftmalwarespywarepatchesExploits / vulnerabilitiesTenable Network SecurityiSight Partners

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?