The cyber warfare landscape in Ukraine has been witnessing a significant surge in attacks, particularly targeting military personnel and critical infrastructure. Recently, cybersecurity researchers uncovered an operation that leveraged a nearly seven-year-old flaw in Microsoft Office, specifically a PowerPoint slideshow file named “signal-2023-12-20-160512.ppsx.” Although it appears to be associated with the Signal messaging app, there is no concrete evidence supporting this distribution method.
The Attack Mechanism: Old Flaws and New Tricks
The attack involves a severe exploit, CVE-2017-8570, a remote code execution vulnerability in Office with a CVSS score of 7.8. The attackers entice victims to open a PowerPoint file that masquerades as an old U.S. Army manual on mine-clearing blades for tanks. Upon opening, the file initiates a remote relationship to an external OLE object, which triggers the downloading of a heavily obfuscated script. This script, in turn, launches an HTML file containing JavaScript that establishes persistence on the system through Windows Registry modifications and drops a payload disguised as the Cisco AnyConnect VPN client.
This payload includes a dynamic-link library (DLL) that injects a cracked version of Cobalt Strike Beacon into the system memory. Cobalt Strike is a legitimate penetration testing tool often repurposed by attackers. The DLL checks for virtual machine environments to evade detection and connects to a command-and-control server, which uses domains disguised as a generative art site and a popular photography site to mislead victims.
Increasing Use of Messaging and Dating Platforms for Attacks
Adding to the complexity, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed that Ukrainian armed forces are being increasingly targeted through messaging and dating platforms. These platforms serve as conduits for various malware strains like HijackLoader, XWorm, and Remcos RAT, alongside open-source tools for data exfiltration.
The Prolific Sandworm and UAC-0133 Groups
In parallel, CERT-UA exposed activities by a Russian state-sponsored group, UAC-0133, also known as Sandworm. Sandworm has been targeting about 20 energy, water, and heating suppliers with destructive malware aimed at sabotaging operations. This group, identified as part of the GRU’s Unit 74455, uses a combination of malware including the Linux variant BIASBOAT and a Golang-based SOCKS5 proxy named GOSSIPFLOW, illustrating their adaptability and determination to disrupt Ukrainian state functions.
Analysis and Implications
The usage of old vulnerabilities alongside novel social engineering tactics via popular communication platforms marks a concerning evolution in cyber threats. These strategies underscore the increasing sophistication and adaptability of threat actors, especially in the context of geopolitical tensions. The implications are profound, affecting national security, infrastructure resilience, and the broader cybersecurity landscape.
As cyber threats grow more complex and intertwined with geopolitical maneuvers, the international community must enhance collaborative efforts to bolster cybersecurity measures and share critical threat intelligence. It’s not just about defending against known vulnerabilities but also about anticipating new methods of attack and reinforcing human elements of cybersecurity.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
