iSIGHT discovers vulnerability used in Russian cyber-espionage campaign

The article is filled with fluff about iSIGHT and they buried the lead. Here are the high level details they posted:<p>* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)<p>* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code<p>* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.<p>* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands * An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it<p>TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. <i>This is not a worm.</i><p>Also these little gems:<p>&gt; Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...<p>&gt; iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.<p>Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn&#x27;t responsible disclosure, this is PR and lead gen.

Is it me or is the linked article remarkably content free given the about of security babble it contains? The nice aspect of the Heartbleed branding was its simple and clear message, not having opaque sentences such as &quot;Visibility into this campaign indicates targeting across the following domains&quot; and self serving platitudes such as &quot;As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia.&quot;<p>edit: The meat of the vulnerability is in the &quot;Working with Microsoft, we discovered the following&quot; section, over halfway down the page.

<i>but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it</i><p>What&#x27;s next, &quot;Zero-day Impacting All Versions of All Operating Systems - allows users to download and execute arbitrary code&quot;? I suppose if you&#x27;re a fan of user-hostile walled-garden trusted-computing models you might consider that a vulnerability, but I think it&#x27;s safe to assume that most people consider the ability to &quot;download and execute arbitrary code&quot; to be a very useful and fundamental feature of an OS.<p><i>from Vista SP2 to Windows 8.1</i><p>I&#x27;m curious if this &quot;vulnerability&quot; also exists in XP.

How does<p>&gt; When exploited, the vulnerability allows an attacker to remotely execute arbitrary code<p>go along with<p>&gt; [...] will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it [...]<p>Is this a fucking joke? Looks like some company just want to push their name out there and get some free media exposure.

Can&#x27;t believe they designed a logo especially for this worm (and gave a fancy name). There&#x27;s apparently a marketing campaign in vulnerability discoveries too.

&quot;On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability...&quot;<p>&quot;Over the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track and monitor the exploitation of this vulnerability...&quot;<p>I&#x27;m sorry, I feel you should lose the right to call this a zero day when both you and Microsoft have known not only its existence, but the fact that it&#x27;s being actively exploited for <i>five freaking weeks</i>. Also, am I the only one that feels this reads as a sensationalist article? I think the phrase &quot;weaponized PowerPoint file&quot; was what ended up pegging my meter, but the fact it&#x27;s not a worm and barely fits the category of remote code execution helps.

I&#x27;m a little annoyed that they called it worm. Malware with the description meant that the software could spread entirely under its own power from machine to machine. This is nothing more than your typical email attachment exploit which is entirely incapable of spreading without human intervention for each attacked host.

I think another (real) windows zero day will be announced soon. I received an email from Rackspace giving advanced notice that they will be patching all Windows servers to fix a 0day. I&#x27;m not sure why they&#x27;d take such measures for an exploit involving opening powerpoint files...<p>Content of the email, for those interested: <a href="http://pastebin.com/AZBcQ2DF" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;AZBcQ2DF</a>

&gt; An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it<p>So, it&#x27;s a remote exploit, but requires the user to open a document.

Seems like isightpartners is down atm.<p>Here are some more details: <a href="http://www.tripwire.com/state-of-security/incident-detection/microsoft-windows-zero-day-exploit-sandworm-used-in-cyber-espionage-cve-2014-4114/" rel="nofollow">http:&#x2F;&#x2F;www.tripwire.com&#x2F;state-of-security&#x2F;incident-detection...</a>

This exploit is delivered with a PowerPoint document, so no remote hole. It&#x27;s a bit strange, that the reference a CVE (for which no information is available) and just generically describe the campaign and whatnot. The real report though is only available after a registration? That&#x27;s not really the way things should be done. If there is a threat, inform people about it and don&#x27;t hide all the stuff.

Technical details (in russian, use Google Translate): <a href="http://habrahabr.ru/company/eset/blog/240345/" rel="nofollow">http:&#x2F;&#x2F;habrahabr.ru&#x2F;company&#x2F;eset&#x2F;blog&#x2F;240345&#x2F;</a>

Use of the exploit in the wild is &quot;attributed to Russia&quot;, but I can&#x27;t see any evidence stated to support that other than &quot;Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia.&quot; Is there actually good evidence to point the finger at Russia? It plays quite nicely in to the Western agenda, so it seems an easy one to play off even if it&#x27;s rooted only in suspicion.

Remember the poorly animated Dune2 intro cracking on the 286? &quot;The planet Arrakis, known as Dune...&quot; <a href="http://www.youtube.com/watch?v=9-2iIq8AyQc" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9-2iIq8AyQc</a>

Dear security researchers: Please stop taking time to come up with a clever name and a logo for your vulnerability. This is not a marketing event for you or your company. You are disclosing a vulnerability, not promoting your fly-by-night &quot;consulting&quot; company.<p>Trust me, if the vulnerability is important and has merit, you&#x27;ll get the street cred among other security researchers and the potential employers that would hire you because of the work you did and your skills.<p>See Mike Lynn&#x27;s massively bad RCE vuln in Cisco Routers or Dan Kaminsky&#x27;s huge DNS vulnerability as examples on disclosing terrible problems with class.

&quot;Energy Sector firms (specifically in Poland)&quot;<p>This is really worrying. Especially that Poland now tries to break from Russia&#x27;s energy hegemony.

mirror: <a href="http://www.tripwire.com/state-of-security/incident-detection/microsoft-windows-zero-day-exploit-sandworm-used-in-cyber-espionage-cve-2014-4114/" rel="nofollow">http:&#x2F;&#x2F;www.tripwire.com&#x2F;state-of-security&#x2F;incident-detection...</a>

Is it responsible to announce this the day before all windows systems are auto-patched?<p>Why not the 15th?

TL;DR: Don&#x27;t open attachments. Didn&#x27;t we all learn this 15 years ago?

I get a white page. (Or is that because I do not use Windows? ;)