New Windows Zero-day Exploit via Cyberespionage Group Sandworm Discovered

Announcements
1

​On Tuesday October 14th, a new vulnerability was discovered in Microsoft Windows Operating Systems, affecting all supported versions of Windows, from Windows Vista Service Pack 2 up to Windows 8.1. According to the security firm, iSIGHT, this vulnerability has been exploited by a cyberespionage group known as Sandworm, to deliver malware to targeted organizations. Known targets include NATO, Ukrainian government organizations, Western European government organizations, Polish energy sector firms, European telecommunications firms, and United States academic organizations.

 

Currently, these cyber criminals are sending PowerPoint documents containing malicious links via various phishing scams; however there is a possibility that these may crop up in other types of Microsoft Office documents, so users should be wary of all Office attachments from unknown senders.

Symantec considers this vulnerability critical since it allows attackers remote access to the affected computer. Since we are seeing two different payloads being used, it is possible that more than one group is using this vulnerability besides Sandworm. Symantec had identified two PowerPoint documents written in Chinese that contain this exploit. 

How Attackers Get Into Your System

The operating system vulnerability lies within Microsoft’s Object Linking and Embedding (OLE) technology. This technology allows the linking and embedding of objects such as images, charts and graphs between documents and allows a user to export a document from one editing application to another.

 

To exploit this Windows bug, groups like Sandworm have used scams such as email phishing and social engineering, to deliver a malicious Microsoft Office PowerPoint File. Once the file is opened, malware is automatically downloaded onto the computer, which will open up a “back door” to let attackers connect to the machine, where they can load additional malware and steal data.

 

Stay Protected

  • Immediately download and install all security patches once available from Microsoft when released.
  • Make sure your security software is up to date.
  • Always be cautious about emails from unknown senders, especially when containing attachments or URLs. For more information about phishing scams, read our article about how to protect yourself from phishing scams.

 

Am I Protected By Norton?

Norton and Symantec customers are protected against the malware being used in attacks exploiting this vulnerability.

All Norton security products (including Norton Antivirus, Norton Internet Security, Norton 360 and the new Norton Security) incorporate multiple layers of defense against malicious software, including technologies that help monitor and defend against malicious threats and activity targeted at your computer.

If you are not already a Norton customer, consider taking Norton for a test drive.

 

Microsoft has issued an "OLE packager Shim Workaround" that prevents exploitation of the vulnerability. While there is no patch available for this vulnerability, it is advised to use the Microsoft Fix it solution before a patch is available. In addition to exercising caution when opening Microsoft PowerPoint files or other files from untrusted sources, users should enable the User Account Control (UAC), if it is not already enabled.