Microsoft Fixes Zero-Day Flaws Used In Targeted Attack Campaigns
Microsoft is addressing several dangerous zero-day vulnerabilities tied to cyberespionage attack campaigns, including one exploit uncovered by security consultancy iSIGHT Partners and linked to a cybercrime group in Russia being called Sandworm.
The Russian Sandworm Team targeted individuals at NATO, Ukranian government organizations, Western government organizations and academic organizations in the U.S. beginning in 2013, according to iSIGHT Partners. The Sandworm Team uses spearphishing campaigns and malicious email PowerPoint attachments to target the flaw, which impacts all supported versions of Microsoft Windows and Windows Server 2008 and 2012.
"The application of this patch should be done as soon as humanly possible given the potential for further exploitation by this cyber espionage team and others in the threat actor community," the consultancy said, calling the vulnerability dangerous.
[Related: Russian Cybercriminals Aim At U.S. Bank Accounts; Malware Infects ATMs]
The Sandworm name is based on the group's use of encoded references to the classic science fiction series Dune in command and control URLs and various malware samples, iSIGHT said. In August at least one organization in the U.S. was targeted by the group. Some of the group's attack campaigns were also identified by security researchers at antivirus vendors F-Secure and ESET. Russia has been linked to previous attacks earlier this year amid rising political tension between the country and the West. A German security firm uncovered a rootkit it said was used by a Russian group against U.S. organizations and their allies.
Two new zero-day vulnerabilities used in targeted, limited attacks against some major corporations, according to FireEye which detected exploits attempting to target the flaws. Both flaws exploit the Windows Kernel, FireEye said.
A Windows True Type Font processing flaw can be exploited using a malicious Office document and impacts users of Windows XP, Windows 7, 8 and 8.1 as well as Windows Server 2008 and 2012. The second vulnerability could be used as part of a multi-staged attack to elevate system privileges. It impacts Microsoft Windows 7, Vista, XP, Windows 2000, Windows Server 2003 and 2008, FireEye said.
"We have no evidence of these exploits being used together. Instead, we have only observed each exploit being used separately, in unrelated attacks," FireEye said.
Security and vulnerability experts at solution providers say organizations need to assess the risk posed by the threats carefully to determine the speed at which the Microsoft patches should be applied. Interest in security software and products, including those designed to detect advanced threats is rising with a litany of high profile data breaches and targeted attacks documented by researchers over the last several years. Patching best practices should be followed, including testing them before pushing them out to the production environment, said Ross Barrett, senior manager of security engineering at vulnerability management vendor, Rapid7.
"The average system administrator or home users should not panic about Sandworm," Barrett said. "It's not like Heartbleed or ShellShock, where an attacker could just "do" this to a vulnerable system. An attacker needs to launch a multi-stage attack to take advantage of this vulnerability."
The vulnerabilities were repaired as part of Microsoft's October Patch Tuesday security updates in which the company issued eight security bulletins, three rated critical and five rated important. The updates addressed 24 vulnerabilities across the company's portfolio.
The October bulletins includes a critical update to Internet Explorer fixing 14 browser vulnerabilities and a critical fix issued to address three flaws in the Microsoft .NET Framework. Bulletins rated "important" address issues in Microsoft Windows Office and the Message Queuing Service.