
iSIGHT discovers vulnerability used in Russian cyber-espionage campaign - nikentic
http://www.isightpartners.com/2014/10/cve-2014-4114/#
======
driverdan
The article is filled with fluff about iSIGHT and they buried the lead. Here
are the high level details they posted:

* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)

* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code

* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.

* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands * An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF
files can be included by PowerPoint files. _This is not a worm._

Also these little gems:

> Further information will be provided in a live briefing to any interested
> parties on Thursday, October 16th at 2:00...

> iSIGHT is making available a broader technical report – inclusive of
> indicators – through a formal vetting process.

Fuck you iSIGHT. This is being used in the wild and a patch has been released.
Post the details publicly. This isn't responsible disclosure, this is PR and
lead gen.

~~~
metafex
It is marketing at it's finest: create fear and uncertainty and have a product
ready to ease the pain (even though it won't likely help in any way).

------
tfgg
Is it me or is the linked article remarkably content free given the about of
security babble it contains? The nice aspect of the Heartbleed branding was
its simple and clear message, not having opaque sentences such as "Visibility
into this campaign indicates targeting across the following domains" and self
serving platitudes such as "As part of our normal cyber threat intelligence
operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage
activity out of Russia."

edit: The meat of the vulnerability is in the "Working with Microsoft, we
discovered the following" section, over halfway down the page.

~~~
viraptor
I guess it is actually about the context in this case, not about the issue
itself. Exploits via outlook and office existed for a long time. This is
hardly something new. Targeting a specific region / company / group of people,
based on politics, without spamming everyone in the world with this
vulnerability is a relatively new thing. It looks like they really did want to
stay hidden for a long time.

~~~
rasz_pl
You wont get far spamming random people with PowerPoint vulnerability. It is
entirely possible they simply targeted most likely PP users first.

------
userbinator
_but will need a specifically crafted file and use social engineering methods
(observed in this campaign) to convince a user to open it_

What's next, "Zero-day Impacting All Versions of All Operating Systems -
allows users to download and execute arbitrary code"? I suppose if you're a
fan of user-hostile walled-garden trusted-computing models you might consider
that a vulnerability, but I think it's safe to assume that most people
consider the ability to "download and execute arbitrary code" to be a very
useful and fundamental feature of an OS.

 _from Vista SP2 to Windows 8.1_

I'm curious if this "vulnerability" also exists in XP.

~~~
personZ
The exploit seems to leverage PowerPoint files which are generally considered
safe, and thus are allowed through mail systems and most normal good-practice
behaviors. It uses a sideband exploit that allows PowerPoint to download and
execute arbitrary content via a system service.

That is absolutely an exploit, similar to if I linked to an imgur jpeg that
actually ran a trojan on your machine.

------
sauere
How does

> When exploited, the vulnerability allows an attacker to remotely execute
> arbitrary code

go along with

> [...] will need a specifically crafted file and use social engineering
> methods (observed in this campaign) to convince a user to open it [...]

Is this a fucking joke? Looks like some company just want to push their name
out there and get some free media exposure.

~~~
csandreasen
From the article: _The vulnerability exists because Windows allows the OLE
packager (packager .dll) to download and execute INF files. In the case of the
observed exploit, specifically when handling Microsoft PowerPoint files, the
packagers allows a Package OLE object to reference arbitrary external files,
such as INF files, from untrusted sources._

So the process is initiated through a spearphish, and when the file is opened
the vulnerability causes the system to download additional code and execute
it.

~~~
coldpie
Hey! I implemented that DLL in Wine! :) Doesn't currently parse INF files,
heh.

------
androidb
Can't believe they designed a logo especially for this worm (and gave a fancy
name). There's apparently a marketing campaign in vulnerability discoveries
too.

~~~
daeken
This is brand new. After Heartbleed, people realized that branding
vulnerabilities is great for driving business. A year ago, this was unheard
of.

~~~
monstermonster
Yes. This absolutely fucking sickens me. It instantly gives news agencies an
excuse to pick up every little hole and scare all the mortals into submission.

Security has become a marketing and media circus now which in turn
desensitizes people to real concerns and rational thought.

~~~
jenscow
I do see your point, however sometimes it is a good thing to let everyone know
about it, so they're able to do something about it.

For example, my manager even heard about "shell shock" and prompted me to do
something about it. Although, it was over a week after the outbreak, and we'd
already established we weren't vulnerable (applied the patch anyway) - but
even so!

~~~
monstermonster
Yes at least 20 of our clients phoned up about this as well which is funny
because we don't have any Linux machines at all.

------
TheCraiggers
"On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with
Microsoft – announced the discovery of a zero-day vulnerability..."

"Over the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track
and monitor the exploitation of this vulnerability..."

I'm sorry, I feel you should lose the right to call this a zero day when both
you and Microsoft have known not only its existence, but the fact that it's
being actively exploited for _five freaking weeks_. Also, am I the only one
that feels this reads as a sensationalist article? I think the phrase
"weaponized PowerPoint file" was what ended up pegging my meter, but the fact
it's not a worm and barely fits the category of remote code execution helps.

~~~
ColinDabritz
You are right that the usage of the term is confusing in this context. I think
it still communicates two critical aspects: First, this is being exploited
right now in the wild (and was when it was discovered it sounds like). Second,
your windows machines are almost certainly vulnerable right this moment, and
you should update immediately.

Perhaps they could have phrased it more clearly, but considering that it
sounds like a full exploit on opening a powerpoint document, some alarm is
appropriate.

I also think it was a little brash to name it "Sandworm" when it is not, as
far as we know, a worm. It certainly has the potential to be used as the key
exploit in a worm though.

------
Mithaldu
I'm a little annoyed that they called it worm. Malware with the description
meant that the software could spread entirely under its own power from machine
to machine. This is nothing more than your typical email attachment exploit
which is entirely incapable of spreading without human intervention for each
attacked host.

~~~
ZoF
I think they're calling the described Russian group 'Sandworm', not this
particular CVE.

------
Cakez0r
I think another (real) windows zero day will be announced soon. I received an
email from Rackspace giving advanced notice that they will be patching all
Windows servers to fix a 0day. I'm not sure why they'd take such measures for
an exploit involving opening powerpoint files...

Content of the email, for those interested:
[http://pastebin.com/AZBcQ2DF](http://pastebin.com/AZBcQ2DF)

~~~
sauere
Pretty sure this is about this CVE.

~~~
Cakez0r
But I expect most servers don't have any software on them related to opening
emails or Office files. I would've thought that Rackspace reserves mandatory
server hotfixes for only the most serious vulnerabilities (E.G. shellshock).

~~~
Anderkent
While ppt's are the vector in the wild it seems the core vulnerability is in
packager.dll, so possibly other ways of abusing it exist.

------
vesinisa
> An attacker can exploit this vulnerability to execute arbitrary code but
> will need a specifically crafted file and use social engineering methods
> (observed in this campaign) to convince a user to open it

So, it's a remote exploit, but requires the user to open a document.

~~~
viraptor
Maybe I'm reading into details too much, but they never said "open". They
said: "specifically when handling Microsoft PowerPoint files". Outlook allows
previews of office files and "handling" may be involved even before the
presentation is actually opened / previewed. It's just speculation though.

~~~
userbinator
It says "to convince a user _to open it_ " in the description. If a preview
was enough to execute, I'd think that is very important point and they'd
definitely mention it - I remember distinctly "previews are sufficient"
mentioned in the WMF exploit when it first came out.

~~~
viraptor
Thanks, I missed that bit!

------
chillax
Seems like isightpartners is down atm.

Here are some more details: [http://www.tripwire.com/state-of-
security/incident-detection...](http://www.tripwire.com/state-of-
security/incident-detection/microsoft-windows-zero-day-exploit-sandworm-used-
in-cyber-espionage-cve-2014-4114/)

------
metafex
This exploit is delivered with a PowerPoint document, so no remote hole. It's
a bit strange, that the reference a CVE (for which no information is
available) and just generically describe the campaign and whatnot. The real
report though is only available after a registration? That's not really the
way things should be done. If there is a threat, inform people about it and
don't hide all the stuff.

~~~
300bps
To get the real report you have to give them your work email address and work
phone number. The context of why they are asking for that is to make sure
you're qualified to receive the information but you can be darned sure that
list will make its way to the marketing department.

------
BogdanCalin
Technical details (in russian, use Google Translate):
[http://habrahabr.ru/company/eset/blog/240345/](http://habrahabr.ru/company/eset/blog/240345/)

------
AshleysBrain
Use of the exploit in the wild is "attributed to Russia", but I can't see any
evidence stated to support that other than "Many of the lures observed have
been specific to the Ukrainian conflict with Russia and to broader
geopolitical issues related to Russia." Is there actually good evidence to
point the finger at Russia? It plays quite nicely in to the Western agenda, so
it seems an easy one to play off even if it's rooted only in suspicion.

------
contingencies
Remember the poorly animated Dune2 intro cracking on the 286? "The planet
Arrakis, known as Dune..."
[http://www.youtube.com/watch?v=9-2iIq8AyQc](http://www.youtube.com/watch?v=9-2iIq8AyQc)

------
billyhoffman
Dear security researchers: Please stop taking time to come up with a clever
name and a logo for your vulnerability. This is not a marketing event for you
or your company. You are disclosing a vulnerability, not promoting your fly-
by-night "consulting" company.

Trust me, if the vulnerability is important and has merit, you'll get the
street cred among other security researchers and the potential employers that
would hire you because of the work you did and your skills.

See Mike Lynn's massively bad RCE vuln in Cisco Routers or Dan Kaminsky's huge
DNS vulnerability as examples on disclosing terrible problems with class.

------
odiroot
"Energy Sector firms (specifically in Poland)"

This is really worrying. Especially that Poland now tries to break from
Russia's energy hegemony.

------
mrmondo
mirror: [http://www.tripwire.com/state-of-security/incident-
detection...](http://www.tripwire.com/state-of-security/incident-
detection/microsoft-windows-zero-day-exploit-sandworm-used-in-cyber-espionage-
cve-2014-4114/)

------
ck2
Is it responsible to announce this the day before all windows systems are
auto-patched?

Why not the 15th?

~~~
pixl97
If it is in the wild then it is most responsible to let firms know _right
now_. Now the administrators can choose if they want to block said files until
the patch is released.

------
novaleaf
TL;DR: Don't open attachments. Didn't we all learn this 15 years ago?

~~~
SixSigma
Obviously I can't confirm if this works but:

> How to embed PowerPoint presentations in your web pages.

> Once you've created the PowerPoint presentation, embedding it on a Web page
> is as easy as saving it to the Web, grabbing the embed code and pasting it
> onto your page - no code required. Visitors to your site will then be able
> to page through the presentation and interact with it directly on your Web
> page, from within the browser and without having to have PowerPoint
> installed.

[http://www.microsoft.com/web/solutions/powerpoint-
embed.aspx](http://www.microsoft.com/web/solutions/powerpoint-embed.aspx)

~~~
ewoodrich
That's Powerpoint "Online" which is just a webapp and doesn't actually use the
Windows version of Powerpoint with the vulnerability.

------
einrealist
I get a white page. (Or is that because I do not use Windows? ;)

~~~
Anderkent
Site's down. cache:
[http://webcache.googleusercontent.com/search?sourceid=chrome...](http://webcache.googleusercontent.com/search?sourceid=chrome-
psyapi2&ion=1&ie=UTF-8&q=cache%3Ahttp%3A%2F%2Fwww.isightpartners.com%2F2014%2F10%2Fcve-2014-4114%2F%23&bav=on.2,or.r_cp.r_qf.&ech=1&psi=igU9VPiHOMqoyASBt4DYBw.1413285260412.3&ei=igU9VPiHOMqoyASBt4DYBw&emsg=NCSR&noj=1)

