Patches released to combat Sandworm malware
Microsoft’s Patch Tuesday has a greater relevance than usual this week: it includes a patch for a zero day vulnerability that has been used to target NATO, some European telecommunications companies and some Polish Energy Sector companies.
The vulnerability was originally discovered on September 3rd by a company called iSight Partners. The hackers were using a spear phishing technique involving a PowerPoint document. A weakness in the OLE package manager on Microsoft Windows and Windows server is used to download extr4enal files (such as INF files) from malicious sources. The attacker can craft a file and use it to execute commands on the victim computers.
Figure A illustrates the Sandworm team and known targets.
According to iSight, Microsoft was informed of the vulnerability in September. Announcement of the vulnerability was delayed until a patch was available. The vulnerability (known as CVE-2014-4114) has been dubbed “Sandworm”, due to various references to Frank Herbert’s Dune novel being found in the malware code.
iSight have called the creators of Sandworm the “Sandworm Team”. The Sandworm team have been operating since around 2009. Rather than use more direct attacks, the Sandworm team prefer to use spear phishing campaigns. They have been observed to use events such as the recent Ukraine conflict to lure users into opening infected emails.
Fortunately, the exploit is largely unknown. iSight says that “it appears that its existence was little known and the exploitation was reserved to the Sandworm team.” The patch made available today by Microsoft fixes the vulnerability. Microsoft has released workarounds under Security Bulletin MS14-060 in the case where organisations cannot patch immediately. Note that Windows XP is not affected by this exploit.
Whilst this vulnerability has been dormant, today’s patch updates amount to public disclosure. It is recommended that the patches be applied as soon as practicable, and/or the workaround measures detailed by Microsoft be put into place. Email filtering should be used to quarantine suspected spear phishing attacks.