iSIGHT discovers vulnerability used in Russian cyber-espionage campaign (opens in new tab)

(isightpartners.com)

179 pointsnikentic11y ago73 comments

73 comments

The article is filled with fluff about iSIGHT and they buried the lead. Here are the high level details they posted:

* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)

* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code

* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.

* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands * An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. This is not a worm.

Also these little gems:

> Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...

> iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.

Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn't responsible disclosure, this is PR and lead gen.

metafex11y ago

It is marketing at it's finest: create fear and uncertainty and have a product ready to ease the pain (even though it won't likely help in any way).

BinaryMn11y ago

Hijacking the top comment for relevance and visibility.

Seeing how all of the other articles about this exploit are basically regurgitating iSight's announcement, I thought I'd provide something a little bit more useful.

https://www.virustotal.com/en/file/70b8d220469c8071029795d32...

rip74711y ago

honestly, there needs to be a blacklist for companies that do these sort of things and iSIGHT needs to be on it.

dang11y ago

If someone can suggest a more neutral and accurate version of the story, we can change the URL.

tfgg11y ago

Is it me or is the linked article remarkably content free given the about of security babble it contains? The nice aspect of the Heartbleed branding was its simple and clear message, not having opaque sentences such as "Visibility into this campaign indicates targeting across the following domains" and self serving platitudes such as "As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia."

edit: The meat of the vulnerability is in the "Working with Microsoft, we discovered the following" section, over halfway down the page.

viraptor11y ago

I guess it is actually about the context in this case, not about the issue itself. Exploits via outlook and office existed for a long time. This is hardly something new. Targeting a specific region / company / group of people, based on politics, without spamming everyone in the world with this vulnerability is a relatively new thing. It looks like they really did want to stay hidden for a long time.

rasz_pl11y ago

You wont get far spamming random people with PowerPoint vulnerability. It is entirely possible they simply targeted most likely PP users first.

metafex11y ago

It says basically nothing. It gives a CVE (for which no information is available) and says the exploit was used with PowerPoint documents, that's it.

Igglyboo11y ago

This might just be anti-microsoft bias but I think the thing here is that with a Windows vuln you can't see the source code so you really have no idea how severe the vuln is, the people who find it can simply make shit up with no one able to call them out other than Microsoft. Also maybe the average windows user will be less tech savy than a linux user and fall prey to scare tactics like these.

guardian5x11y ago

The "average windows user" will not even read this. Nevertheless there are many tech savvy windows users in absolute numbers.

1 more reply

userbinator11y ago

but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

What's next, "Zero-day Impacting All Versions of All Operating Systems - allows users to download and execute arbitrary code"? I suppose if you're a fan of user-hostile walled-garden trusted-computing models you might consider that a vulnerability, but I think it's safe to assume that most people consider the ability to "download and execute arbitrary code" to be a very useful and fundamental feature of an OS.

from Vista SP2 to Windows 8.1

I'm curious if this "vulnerability" also exists in XP.

personZ11y ago

The exploit seems to leverage PowerPoint files which are generally considered safe, and thus are allowed through mail systems and most normal good-practice behaviors. It uses a sideband exploit that allows PowerPoint to download and execute arbitrary content via a system service.

That is absolutely an exploit, similar to if I linked to an imgur jpeg that actually ran a trojan on your machine.

Anderkent11y ago

Kinda depends under what level of privilege the code runs.

Also secure environments often strip down the ability to download and run arbitrary code, but might still allow theoretically-data-only formats to be downloaded and opened (such as .ppt files), in which case this is definitely relevant.

omh11y ago

I'm curious if this "vulnerability" also exists in XP

I was curious as well. Elsewhere the article says it's not vulnerable:

...a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted)

Are there any significant Windows vulnerabilities for XP since the EOL? I was waiting for the first one that isn't patched, will be interesting to see how the bad guys use it.

melchebo11y ago

XP Embedded is still a supported operating system. This CVE applies to all of those. So, yes.

sauere11y ago

Don't forget to spice up your report with "THE RUSSIANS DID IT!!!!!!!!!!111!1".

sauere11y ago

How does

> When exploited, the vulnerability allows an attacker to remotely execute arbitrary code

go along with

> [...] will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it [...]

Is this a fucking joke? Looks like some company just want to push their name out there and get some free media exposure.

csandreasen11y ago

From the article: The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.

So the process is initiated through a spearphish, and when the file is opened the vulnerability causes the system to download additional code and execute it.

coldpie11y ago

Hey! I implemented that DLL in Wine! :) Doesn't currently parse INF files, heh.

gipsies11y ago

Calling it remotely exploitable indeed seems misleading. A lot of the article is just fluf without real content.

1 more reply

ultramancool11y ago

Yeah, it seems this is nothing more than yet another Microsoft Office bug (PowerPoint this time) which can be used for an email worm.

I think they're trying to get on the Heartbleed and Shellshock bandwagon by trying to get a name all over the media for a fairly minor exploit.

androidb11y ago

Can't believe they designed a logo especially for this worm (and gave a fancy name). There's apparently a marketing campaign in vulnerability discoveries too.

daeken11y ago

This is brand new. After Heartbleed, people realized that branding vulnerabilities is great for driving business. A year ago, this was unheard of.

monstermonster11y ago

Yes. This absolutely fucking sickens me. It instantly gives news agencies an excuse to pick up every little hole and scare all the mortals into submission.

Security has become a marketing and media circus now which in turn desensitizes people to real concerns and rational thought.

4 more replies

regularfry11y ago

It was never quite this overt, but giving cute names to viruses goes back a long way.

3rd311y ago

It also helps spreading the news and thus fixing the problem.

1 more reply

MichaelGG11y ago

At least Heartbleed and Shellshock made sense. Sandworm is just trying to play up fear for a boring not-really-remote vuln. And, the vulnerability is not a worm. It's shitty marketing.

josefresco11y ago

In defense of "branding" vulnerabilities ... Heartbleed was the first instance where "normal" people were asking me if I had heard about it and if it effected me/my business.

Attribution and PR aside, branding these helps educate the public and give them something tangible to call it/discuss.

bshimmin11y ago

And it really makes life easier when you have to explain downtime to your clients, who are often "normal people" and won't understand what SSL is but will have seen Heartbleed on the news and will probably remember it when you say the name. (I'm not sure Shellshock got quite the same coverage, but maybe I'm wrong there.)

wjk11y ago

And their map suggests that poland is in the middle of russia. What the hell.

Robin_Message11y ago

It looks like a sandworm from the computer games and shitty [1] film adaption of the Dune series by Frank Herbert [2].

[1] The games were great, if unrelated to the story. The film is ridiculous and uses the books merely as backdrop.

[2] Pedantic I know, but the books had pictures on the covers that showed exactly what a sandworm should look like – e.g. visible crystal teeth of a size that could be made into a dagger (a crysknife) and a hot furnace behind – not three weird flaps around a dark mouth.

bhouston11y ago

Yeah, I think they do this because if they can make a catchy name and logo, it becomes the focus of the media and I think they must pull in like a million hits or more to these articles. That is valuable if you have something to sell.

I think that soon there will be multiple names for each new vulerability with multiple logo-ed/brand-ed info pages. And then this trend will start to die out.

But for now, you should be worried about the latest Vulnerability[tm].

Graham2411y ago

I wonder if it's someone's job to come up with these titles and logos?

jenscow11y ago

And could you imagine putting the announcement on hold because the designer isn't 100% happy with his work... ?

boobsbr11y ago

A crappy logo.

fooqux11y ago

"On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability..."

"Over the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track and monitor the exploitation of this vulnerability..."

I'm sorry, I feel you should lose the right to call this a zero day when both you and Microsoft have known not only its existence, but the fact that it's being actively exploited for five freaking weeks. Also, am I the only one that feels this reads as a sensationalist article? I think the phrase "weaponized PowerPoint file" was what ended up pegging my meter, but the fact it's not a worm and barely fits the category of remote code execution helps.

ColinDabritz11y ago

You are right that the usage of the term is confusing in this context. I think it still communicates two critical aspects: First, this is being exploited right now in the wild (and was when it was discovered it sounds like). Second, your windows machines are almost certainly vulnerable right this moment, and you should update immediately.

Perhaps they could have phrased it more clearly, but considering that it sounds like a full exploit on opening a powerpoint document, some alarm is appropriate.

I also think it was a little brash to name it "Sandworm" when it is not, as far as we know, a worm. It certainly has the potential to be used as the key exploit in a worm though.

Mithaldu11y ago

I'm a little annoyed that they called it worm. Malware with the description meant that the software could spread entirely under its own power from machine to machine. This is nothing more than your typical email attachment exploit which is entirely incapable of spreading without human intervention for each attacked host.

ZoF11y ago

I think they're calling the described Russian group 'Sandworm', not this particular CVE.

Cakez0r11y ago

I think another (real) windows zero day will be announced soon. I received an email from Rackspace giving advanced notice that they will be patching all Windows servers to fix a 0day. I'm not sure why they'd take such measures for an exploit involving opening powerpoint files...

Content of the email, for those interested: http://pastebin.com/AZBcQ2DF

sauere11y ago

Pretty sure this is about this CVE.

Cakez0r11y ago

But I expect most servers don't have any software on them related to opening emails or Office files. I would've thought that Rackspace reserves mandatory server hotfixes for only the most serious vulnerabilities (E.G. shellshock).

2 more replies

vesinisa11y ago

> An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

So, it's a remote exploit, but requires the user to open a document.

viraptor11y ago

Maybe I'm reading into details too much, but they never said "open". They said: "specifically when handling Microsoft PowerPoint files". Outlook allows previews of office files and "handling" may be involved even before the presentation is actually opened / previewed. It's just speculation though.

userbinator11y ago

It says "to convince a user to open it" in the description. If a preview was enough to execute, I'd think that is very important point and they'd definitely mention it - I remember distinctly "previews are sufficient" mentioned in the WMF exploit when it first came out.

1 more reply

chillax11y ago

Seems like isightpartners is down atm.

Here are some more details: http://www.tripwire.com/state-of-security/incident-detection...

metafex11y ago

This exploit is delivered with a PowerPoint document, so no remote hole. It's a bit strange, that the reference a CVE (for which no information is available) and just generically describe the campaign and whatnot. The real report though is only available after a registration? That's not really the way things should be done. If there is a threat, inform people about it and don't hide all the stuff.

300bps11y ago

To get the real report you have to give them your work email address and work phone number. The context of why they are asking for that is to make sure you're qualified to receive the information but you can be darned sure that list will make its way to the marketing department.

BogdanCalin11y ago

Technical details (in russian, use Google Translate): http://habrahabr.ru/company/eset/blog/240345/

AshleysBrain11y ago

Use of the exploit in the wild is "attributed to Russia", but I can't see any evidence stated to support that other than "Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia." Is there actually good evidence to point the finger at Russia? It plays quite nicely in to the Western agenda, so it seems an easy one to play off even if it's rooted only in suspicion.

contingencies11y ago

Remember the poorly animated Dune2 intro cracking on the 286? "The planet Arrakis, known as Dune..." http://www.youtube.com/watch?v=9-2iIq8AyQc

billyhoffman11y ago

Dear security researchers: Please stop taking time to come up with a clever name and a logo for your vulnerability. This is not a marketing event for you or your company. You are disclosing a vulnerability, not promoting your fly-by-night "consulting" company.

Trust me, if the vulnerability is important and has merit, you'll get the street cred among other security researchers and the potential employers that would hire you because of the work you did and your skills.

See Mike Lynn's massively bad RCE vuln in Cisco Routers or Dan Kaminsky's huge DNS vulnerability as examples on disclosing terrible problems with class.

odiroot11y ago

"Energy Sector firms (specifically in Poland)"

This is really worrying. Especially that Poland now tries to break from Russia's energy hegemony.

mrmondo11y ago

mirror: http://www.tripwire.com/state-of-security/incident-detection...

ck211y ago

Is it responsible to announce this the day before all windows systems are auto-patched?

Why not the 15th?

pixl9711y ago

If it is in the wild then it is most responsible to let firms know right now. Now the administrators can choose if they want to block said files until the patch is released.

novaleaf11y ago

TL;DR: Don't open attachments. Didn't we all learn this 15 years ago?

SixSigma11y ago

Obviously I can't confirm if this works but:

> How to embed PowerPoint presentations in your web pages.

> Once you've created the PowerPoint presentation, embedding it on a Web page is as easy as saving it to the Web, grabbing the embed code and pasting it onto your page - no code required. Visitors to your site will then be able to page through the presentation and interact with it directly on your Web page, from within the browser and without having to have PowerPoint installed.

http://www.microsoft.com/web/solutions/powerpoint-embed.aspx

ewoodrich11y ago

That's Powerpoint "Online" which is just a webapp and doesn't actually use the Windows version of Powerpoint with the vulnerability.

einrealist11y ago

I get a white page. (Or is that because I do not use Windows? ;)

Anderkent11y ago

Site's down. cache: http://webcache.googleusercontent.com/search?sourceid=chrome...

observer110111y ago

It seems their site can't handle the load... or is under attack, but either way it seems to be down.

j / k navigate · click thread line to collapse

73 comments

driverdan11y ago

The article is filled with fluff about iSIGHT and they buried the lead. Here are the high level details they posted:

* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)

* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code

TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. This is not a worm.

Also these little gems:

> Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...

> iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.

Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn't responsible disclosure, this is PR and lead gen.

metafex11y ago

It is marketing at it's finest: create fear and uncertainty and have a product ready to ease the pain (even though it won't likely help in any way).

BinaryMn11y ago

Hijacking the top comment for relevance and visibility.

Seeing how all of the other articles about this exploit are basically regurgitating iSight's announcement, I thought I'd provide something a little bit more useful.

https://www.virustotal.com/en/file/70b8d220469c8071029795d32...

rip74711y ago

honestly, there needs to be a blacklist for companies that do these sort of things and iSIGHT needs to be on it.

dang11y ago

If someone can suggest a more neutral and accurate version of the story, we can change the URL.

tfgg11y ago

edit: The meat of the vulnerability is in the "Working with Microsoft, we discovered the following" section, over halfway down the page.

viraptor11y ago

rasz_pl11y ago

You wont get far spamming random people with PowerPoint vulnerability. It is entirely possible they simply targeted most likely PP users first.

metafex11y ago

It says basically nothing. It gives a CVE (for which no information is available) and says the exploit was used with PowerPoint documents, that's it.

Igglyboo11y ago

guardian5x11y ago

The "average windows user" will not even read this. Nevertheless there are many tech savvy windows users in absolute numbers.

1 more reply

userbinator11y ago

but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

from Vista SP2 to Windows 8.1

I'm curious if this "vulnerability" also exists in XP.

personZ11y ago

That is absolutely an exploit, similar to if I linked to an imgur jpeg that actually ran a trojan on your machine.

Anderkent11y ago

Kinda depends under what level of privilege the code runs.

omh11y ago

I'm curious if this "vulnerability" also exists in XP

I was curious as well. Elsewhere the article says it's not vulnerable:

...a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted)

Are there any significant Windows vulnerabilities for XP since the EOL? I was waiting for the first one that isn't patched, will be interesting to see how the bad guys use it.

melchebo11y ago

XP Embedded is still a supported operating system. This CVE applies to all of those. So, yes.

sauere11y ago

Don't forget to spice up your report with "THE RUSSIANS DID IT!!!!!!!!!!111!1".

sauere11y ago

How does

> When exploited, the vulnerability allows an attacker to remotely execute arbitrary code

go along with

> [...] will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it [...]

Is this a fucking joke? Looks like some company just want to push their name out there and get some free media exposure.

csandreasen11y ago

So the process is initiated through a spearphish, and when the file is opened the vulnerability causes the system to download additional code and execute it.

coldpie11y ago

Hey! I implemented that DLL in Wine! :) Doesn't currently parse INF files, heh.

gipsies11y ago

Calling it remotely exploitable indeed seems misleading. A lot of the article is just fluf without real content.

1 more reply

ultramancool11y ago

Yeah, it seems this is nothing more than yet another Microsoft Office bug (PowerPoint this time) which can be used for an email worm.

I think they're trying to get on the Heartbleed and Shellshock bandwagon by trying to get a name all over the media for a fairly minor exploit.

androidb11y ago

Can't believe they designed a logo especially for this worm (and gave a fancy name). There's apparently a marketing campaign in vulnerability discoveries too.

daeken11y ago

This is brand new. After Heartbleed, people realized that branding vulnerabilities is great for driving business. A year ago, this was unheard of.

monstermonster11y ago

Yes. This absolutely fucking sickens me. It instantly gives news agencies an excuse to pick up every little hole and scare all the mortals into submission.

Security has become a marketing and media circus now which in turn desensitizes people to real concerns and rational thought.

4 more replies

regularfry11y ago

It was never quite this overt, but giving cute names to viruses goes back a long way.

3rd311y ago

It also helps spreading the news and thus fixing the problem.

1 more reply

MichaelGG11y ago

At least Heartbleed and Shellshock made sense. Sandworm is just trying to play up fear for a boring not-really-remote vuln. And, the vulnerability is not a worm. It's shitty marketing.

josefresco11y ago

In defense of "branding" vulnerabilities ... Heartbleed was the first instance where "normal" people were asking me if I had heard about it and if it effected me/my business.

Attribution and PR aside, branding these helps educate the public and give them something tangible to call it/discuss.

bshimmin11y ago

wjk11y ago

And their map suggests that poland is in the middle of russia. What the hell.

Robin_Message11y ago

It looks like a sandworm from the computer games and shitty [1] film adaption of the Dune series by Frank Herbert [2].

[1] The games were great, if unrelated to the story. The film is ridiculous and uses the books merely as backdrop.

bhouston11y ago

I think that soon there will be multiple names for each new vulerability with multiple logo-ed/brand-ed info pages. And then this trend will start to die out.

But for now, you should be worried about the latest Vulnerability[tm].

Graham2411y ago

I wonder if it's someone's job to come up with these titles and logos?

jenscow11y ago

And could you imagine putting the announcement on hold because the designer isn't 100% happy with his work... ?

boobsbr11y ago

A crappy logo.

fooqux11y ago

"On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability..."

"Over the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track and monitor the exploitation of this vulnerability..."

ColinDabritz11y ago

Perhaps they could have phrased it more clearly, but considering that it sounds like a full exploit on opening a powerpoint document, some alarm is appropriate.

I also think it was a little brash to name it "Sandworm" when it is not, as far as we know, a worm. It certainly has the potential to be used as the key exploit in a worm though.

Mithaldu11y ago

ZoF11y ago

I think they're calling the described Russian group 'Sandworm', not this particular CVE.

Cakez0r11y ago

Content of the email, for those interested: http://pastebin.com/AZBcQ2DF

sauere11y ago

Pretty sure this is about this CVE.

Cakez0r11y ago

2 more replies

vesinisa11y ago

So, it's a remote exploit, but requires the user to open a document.

viraptor11y ago

userbinator11y ago

1 more reply

chillax11y ago

Seems like isightpartners is down atm.

Here are some more details: http://www.tripwire.com/state-of-security/incident-detection...

metafex11y ago

300bps11y ago

BogdanCalin11y ago

Technical details (in russian, use Google Translate): http://habrahabr.ru/company/eset/blog/240345/

AshleysBrain11y ago

contingencies11y ago

Remember the poorly animated Dune2 intro cracking on the 286? "The planet Arrakis, known as Dune..." http://www.youtube.com/watch?v=9-2iIq8AyQc

billyhoffman11y ago

See Mike Lynn's massively bad RCE vuln in Cisco Routers or Dan Kaminsky's huge DNS vulnerability as examples on disclosing terrible problems with class.

odiroot11y ago

"Energy Sector firms (specifically in Poland)"

This is really worrying. Especially that Poland now tries to break from Russia's energy hegemony.

mrmondo11y ago

mirror: http://www.tripwire.com/state-of-security/incident-detection...

ck211y ago

Is it responsible to announce this the day before all windows systems are auto-patched?

Why not the 15th?

pixl9711y ago

If it is in the wild then it is most responsible to let firms know right now. Now the administrators can choose if they want to block said files until the patch is released.

novaleaf11y ago

TL;DR: Don't open attachments. Didn't we all learn this 15 years ago?

SixSigma11y ago

Obviously I can't confirm if this works but:

> How to embed PowerPoint presentations in your web pages.

http://www.microsoft.com/web/solutions/powerpoint-embed.aspx

ewoodrich11y ago

That's Powerpoint "Online" which is just a webapp and doesn't actually use the Windows version of Powerpoint with the vulnerability.

einrealist11y ago

I get a white page. (Or is that because I do not use Windows? ;)

Anderkent11y ago

Site's down. cache: http://webcache.googleusercontent.com/search?sourceid=chrome...

observer110111y ago

It seems their site can't handle the load... or is under attack, but either way it seems to be down.

j / k navigate · click thread line to collapse