Researchers from the security firm iSight have announced their discovery of a new zero-day exploit, Sandworm, that had “wormed” its way into the networks of several major government organizations including NATO and Ukranian institutions.
Because of the specific nature of the targets listed, iSight was quick to pick up a trail on the culprits, all of whom were located in various major cities of Russia, and are believed to be working independently of the government despite their clear political motivations.
iSight has been monitoring a specific group of infiltrators they’ve dubbed the “Sandworm Team” since late 2013, closely tracking their movements in order to gain a greater understanding of their motivations and what makes a group like theirs tick.
Their most recent endeavors, an attack on both NATO and the Ukraine government, coincided with NATO’s summit held in Wales this August to discuss what the world community was to do about the conflict torn state.
According to Gavin Millard from Tenable Network Security, Sandworm could present a huge threat not only to NATO themselves, but to major corporate networks from all around the globe.
“While the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information.
When zero day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows.”
What should be even more concerning than the existence of the zero-day itself is the amount of time it took for the major institutions who were hit to actually detect anything was wrong.
These are storied institutions of government with plenty of secrets to keep close to their chest, and if a ragtag group of Russians can so easily penetrate their first, second, and third lines of defense, one can only imagine what state-backed teams could be capable of if they really put their minds and resources to the task.
“What’s most interesting with Sandworm is not the attack vector itself but the lack of detection of subsequent indicators of compromise in the organizations allegedly affected by it.
The need to continuously monitor the environment to detect malicious activities and indicators of misuse is paramount to defend against this or any other zero day exploit.”
For now the most vulnerable systems are those running Windows Server 2008 and 2012, though because the architectures of these two operating systems mirror others so closely, it’s suspected that the same hole would only need slight tweaks to run rampant on a variety of other networks and machines.
iSight hasn’t released any technical details of the attack, instead opting to wait until Microsoft has had more time to track the vector of entry, and patch their systems accordingly.
iSight will be handing out fix-it kits on a very limited basis, as long as those requesting the information can prove who they are in order to prevent the data from falling into the wrong hands.