This article is more than 1 year old

Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'

Fix imminent from Microsoft for Vista, Server 2008, other stuff

Russians hackers have exploited a zero-day vulnerability in Microsoft Windows to hijack and snoop on PCs and servers used by NATO and the European Union, says security biz iSight.

The software flaw is present in desktop and server flavors of the Redmond operating system, from Vista and Server 2008 to current versions. No patch for the hole exists yet, but is expected to be fixed in today's Patch Tuesday update from Microsoft.

iSight has dubbed the vulnerability (CVE-2014-4114) “SandWorm”, and this one looks to be as terrible as Shai-Hulud in full cry: the security biz says the hole was “used in [a] Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.”

According to iSight, “an exposed dangerous method vulnerability [CVE-2014-4114] exists in the OLE package manager in Microsoft Windows and Server” that “allows an attacker to remotely execute arbitrary code.”

“The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files,” iSight writes. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”

“This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands”.

Sandworm vulnerability logo

Help me, Obi Wan Muad'Dib, you are my only hope.

iSight says it spotted the flaw while analysing “Tsar Team”, a group of chaps suspected of being Russian cyber-espionage operatives, and in late August “discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization” during the NATO summit on the Ukraine crisis staged in Wales.

“On September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012,” iSight writes.

“A weaponized PowerPoint document was observed in these attacks.”

“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree.”

iSight says it contacted all the impacted parties and has since worked with Microsoft on a fix that should land today.

And in case you're wondering about the name and the Dune reference in the logo, iSight says the exploit's code contains several references to Frank Herbert's classic. ®

More about


Send us news

Other stories you might like