Sandworm Patch Bypassed; ICS Targeted

Thursday, October 23, 2014 @ 05:10 PM gHale

It is one thing to patch a vulnerability, but to then have the bad guys bypass the patch is quite another. That is exactly what appears to be happening with the Sandworm vulnerability, researchers said.

On top of that, attackers leveraging the Sandworm vulnerability are targeting industrial control systems (ICS), WinCC, Siemens HMI and SCADA software, researchers said.

SCADA Alert: Sandworm Targets Systems
Espionage Group Targets NATO, EU
Bash Attack on NAS Systems
Breaking Down an Insider Attack

The Sandworm patch went out on Patch Tuesday, but attackers found a way to bypass the patch and continue with their targeted attacks.

“As with Sandworm, these attacks once again used infected PowerPoint documents, sent as email attachments, as the means of infection,” Symantec said in a blog post. “The attacks are being used to deliver at least two different payloads to victims, Trojan.Taidoor and Backdoor.Darkmoon (also known as Poison Ivy).”

The former has a link to a cyber espionage group that has a track record of exploiting Zero Day vulnerabilities in its attacks and targeted Taiwanese government agencies and an educational institute.

The latter is a widely used backdoor, but this variant ended up created before anyone spotted the first Sandworm attacks, leading researchers to think the attackers had access to the vulnerability before October 14.

“While the original vulnerability (CVE-2014-4114) involved embedded OLE files linking to external files, the newer vulnerability (CVE-2014-6352) relates to OLE files that have the executable payloads embedded within them,” they said.

There is still no patch for this second one, but Microsoft has offered a Fix It and workarounds for blocking known attack vectors. They also advise users not to open Microsoft PowerPoint files or any other Office files received or downloaded from untrusted sources. The vulnerability affects all supported Windows versions.

“In this new attack, the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location. One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS),” Trend Micro threats analyst Ronnie Giagone said in a blog post.

He also said an old patch released in 2012 by Microsoft could prevent the attacks from succeeding. “The presence of this specific patch alone can deter attacks as the message can alert recipients into the suspicious nature of the file before opening said malicious file.”

Trend Micro and iSight Partners have also been monitoring the activities of the Sandworm team, and said the attackers are targeting industrial control systems (ICS), WinCC, Siemens HMI and SCADA software.

Leave a Reply

You must be logged in to post a comment.